On 04/30/2014 02:44 PM, Jakub Hrozek wrote: > On Wed, Apr 30, 2014 at 11:05:52AM +0200, Tomas Babej wrote: >> On 03/24/2014 03:27 PM, Jan Pazdziora wrote: >>> On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: >>>> On 03/24/2014 02:47 PM, Jan Pazdziora wrote: >>>>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> Makes ipa-client-install configure SSSD as the data provider >>>>>> for the sudo service by default. This behaviour can be disabled >>>>>> by using --no-sudo flag. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3358 >>>>> Ack. >>>>> >>>>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without >>>>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers >>>>> added to /etc/nsswitch.conf. >>>>> >>>>> Rerun with --uninstall and run again with the --no-sudo parameter, >>>>> those settings were not longer there. >>>>> >>>> Did you also do the functional test? >>> No. I do not want to get dragged into the discussion of having the >>> correct sssd and sudo and glibc versions and SELinux and stuff. The >>> ticket explicitly talk about setting configuration in config files, >>> which the patch does. >>> >>>> To ack and push this ticket, following >>>> scenario needs to work: >>> Consumption of those configuration changes is really different story, >>> isn't it? >>> >>>> 1) IPA clients enroll against IPA server without --no-sudo >>>> 2) IPA client user logs in, types "sudo -l", gets all allowed commands >>>> (prerequisite is of course to have sudo commands defined on the IPA server) >>>> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all >>>> allowed commands >>>> >>>> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes >>>> must be done >>>> >>>> For 3) to work, related systemd service preserving NIS domain name setting >>>> needs to be enabled >>> With the commit message only talking about configuring sssd, I assume >>> the NIS domain name mentioned in the ticket will be done by some other >>> patch. >>> >>> To me, the patch does what is advertised in the commit message, and is >>> in line with what the ticket asks to be done. >>> >> Attached are rebased versions of the patches 113 and 167 (which was >> marked as 157 in the thread previously by mistake). >> >> There is a slight behaviour change in 167, if there is no sudoers line >> in nsswitch.conf, we add both files and sss as sudoers sources. >> >> I also developed CI test that covers the functionality of the IPA - sudo >> integration feature, which is attached. >> >> Please note that the last three tests are expected to fail until: >> >> https://fedorahosted.org/freeipa/ticket/4324 >> >> is fixed. >> >> -- >> Tomas Babej >> Associate Software Engineer | Red Hat | Identity Management >> RHCE | Brno Site | IRC: tbabej | freeipa.org >> > Hi, > > I haven't done a thorough review, but the patch looks good to me in > general -- in other words, seems to cover what I've been doing manually > for my test setups. > > My only suggestion (maybe for future) would be to split changing the > nsswitch.conf into its own separate helper class or a function, because > you might want to do the same change for automount or other services in > nsswitch.conf. > > But I think this version is OK at the moment. > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel
I created a rather general function for editing the nsswitch.conf as requesting. Updated patch attached. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From d10cf78796e64b68bc59d645d70b6ec2dfff5785 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tomasba...@gmail.com> Date: Thu, 21 Nov 2013 13:09:28 +0100 Subject: [PATCH] ipa-client-install: Configure sudo to use SSSD as data source Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 --- ipa-client/ipa-install/ipa-client-install | 84 ++++++++++++++++++++++++++++++- ipa-client/man/ipa-client-install.1 | 3 ++ 2 files changed, 86 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 5fdd51520ba667f240239077a80e328877c99cd7..6fd64d0d940be97ea2d443fe01a4aebe3ce3d661 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -72,6 +72,8 @@ SSH_KNOWNHOSTSFILE = '/var/lib/sss/pubconf/known_hosts' client_nss_nickname_format = 'IPA Machine Certificate - %s' +NSSWITCH_CONF = '/etc/nsswitch.conf' + def parse_options(): def validate_ca_cert_file_option(option, opt, value, parser): if not os.path.exists(value): @@ -137,6 +139,9 @@ def parse_options(): help="do not configure OpenSSH client") basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", help="do not configure OpenSSH server") + basic_group.add_option("--no-sudo", dest="conf_sudo", default=True, + action="store_false", + help="do not configure SSSD as data source for sudo") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", help="do not automatically create DNS SSHFP records") basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true", @@ -352,6 +357,69 @@ def is_ipa_client_installed(on_master=False): return installed +def configure_nsswitch_database(fstore, database, services, preserve=True, + append=True, default_value=None): + """ + Edits the specified nsswitch.conf database (e.g. passwd, group, sudoers) + to use the specified service(s). + + Arguments: + fstore - FileStore to backup the nsswitch.conf + database - database configuration that should be ammended, e.g 'sudoers' + service - list of services that should be added, e.g. ['sss'] + preserve - if True, the already configured services will be preserved + + The next arguments modify the behaviour if preserve=True: + append - if True, the services will be appended, if False, prepended + default_value - list of services that are considered as default (if + the database is not mentioned in nsswitch.conf), e.g. + ['files'] + """ + + # Backup the original version of nsswitch.conf, we're going to edit it now + if not fstore.has_file(NSSWITCH_CONF): + fstore.backup_file(NSSWITCH_CONF) + + conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + conf.setOptionAssignment(':') + + if preserve: + # Read the existing configuration + with open('/etc/nsswitch.conf', 'r') as f: + opts = conf.parse(f) + raw_database_entry = conf.findOpts(opts, 'option', database)[1] + + if not raw_database_entry: + # If there is no database entry, database is not present in + # the nsswitch.conf. Set the list of services to the + # default list, if passed. + configured_services = ' '.join(default_value or []) + else: + configured_services = raw_database_entry['value'].strip() + + if append: + new_services = ' ' + configured_services + ' ' + ' '.join(services) + else: + new_services = ' ' + ' '.join(services) + ' ' + configured_services + + else: + # Preserve not set, let's rewrite existing configuration + new_services = ' ' + ' '.join(services) + + # Set new services as sources for database + opts = [{'name': database, + 'type':'option', + 'action':'set', + 'value': new_services + }, + {'name':'empty', + 'type':'empty' + }] + + conf.changeConf(NSSWITCH_CONF, opts) + root_logger.info("Configured %s in %s" % (database, NSSWITCH_CONF)) + + def uninstall(options, env): if not is_ipa_client_installed(): @@ -1141,6 +1209,20 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig.activate_service('ssh') + if options.conf_sudo: + # Activate the service in the SSSD config + try: + sssdconfig.new_service('sudo') + except SSSDConfig.ServiceAlreadyExists: + pass + except SSSDConfig.ServiceNotRecognizedError: + root_logger.error("Unable to activate the SUDO service in " + "SSSD config.") + + sssdconfig.activate_service('sudo') + configure_nsswitch_database(fstore, 'sudoers', ['sss'], + default_value=['files']) + domain.add_provider('ipa', 'id') #add discovery domain if client domain different from server domain @@ -2265,7 +2347,7 @@ def install(options, env, fstore, statestore): # skip this step when run by ipa-server-install as it always configures # hostname if different from system hostname ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname) - + if not options.on_master: # Attempt to sync time with IPA server. # We assume that NTP servers are discoverable through SRV records in the DNS diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 3694fca4a8ae61ccc7aa9e8585731d8a83d8ce26..279d66ad6848ac55037d1fd4e531e6854da54d7b 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -140,6 +140,9 @@ Do not configure OpenSSH client. \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP +\fB\-\-no\-sudo\fR +Do not configure SSSD as a data source for sudo. +.TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. .TP -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel