Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Alexander Bokovoy]

On Sat, 25 Feb 2012, Ondrej Hamada wrote:
 On 02/25/2012 08:30 PM, Alexander Bokovoy wrote:
 On Thu, 23 Feb 2012, Ondrej Hamada wrote:
 
 Option '--noac' was added. If set, the ipa-client-install will not call
 authconfig for setting nsswitch.conf and PAM configuration. In
 fact no configuration of nsswitch.conf or PAM would be done at
 all.
 
 https://fedorahosted.org/freeipa/ticket/2369
 NACK.
 
 According to the original request, authconfig will do
 nsswitch/PAM configuration *after* ipa-client-install run so the
 following check in ipa-client-install will fail with --noac:
 
 +#Check that nss is working properly
 +if not options.on_master:
 +n = 0
 +found = False
 +# Loop for up to 10 seconds to see if nss is working properly.
 +# It can sometimes take a few seconds to connect to the remote 
 provider.
 +# Particulary, SSSD might take longer than 6-8 seconds.
 +while n  10 and not found:
 +try:
 +ipautil.run([getent, passwd, admin])
 +found = True
 +except Exception, e:
 +time.sleep(1)
 +n = n + 1
 
 This check never happens with --noac. I've rechecked the indentation
 (I admit it's badly visible in the patch file) and it's ok.
OK then. ACK.

Please, someone commit this path as my git trees are a bit in flux due 
to trusts work and I'm deep in Samba 16-byte session key fixes right 
now.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Rob Crittenden]

Alexander Bokovoy wrote:

On Sat, 25 Feb 2012, Ondrej Hamada wrote:

On 02/25/2012 08:30 PM, Alexander Bokovoy wrote:

On Thu, 23 Feb 2012, Ondrej Hamada wrote:


Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration. In
fact no configuration of nsswitch.conf or PAM would be done at
all.

https://fedorahosted.org/freeipa/ticket/2369

NACK.

According to the original request, authconfig will do
nsswitch/PAM configuration *after* ipa-client-install run so the
following check in ipa-client-install will fail with --noac:


+#Check that nss is working properly
+if not options.on_master:
+n = 0
+found = False
+# Loop for up to 10 seconds to see if nss is working properly.
+# It can sometimes take a few seconds to connect to the remote 
provider.
+# Particulary, SSSD might take longer than 6-8 seconds.
+while n   10 and not found:
+try:
+ipautil.run([getent, passwd, admin])
+found = True
+except Exception, e:
+time.sleep(1)
+n = n + 1



This check never happens with --noac. I've rechecked the indentation
(I admit it's badly visible in the patch file) and it's ok.

OK then. ACK.

Please, someone commit this path as my git trees are a bit in flux due
to trusts work and I'm deep in Samba 16-byte session key fixes right
now.



Simo pushed this to master and ipa-2-2

I added --noac to the ipa-client-install man page and pushed that under 
the 1-liner rule.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Simo Sorce]

On Mon, 2012-03-05 at 16:04 +0200, Alexander Bokovoy wrote:
 On Sat, 25 Feb 2012, Ondrej Hamada wrote:
  On 02/25/2012 08:30 PM, Alexander Bokovoy wrote:
  On Thu, 23 Feb 2012, Ondrej Hamada wrote:
  
  Option '--noac' was added. If set, the ipa-client-install will not call
  authconfig for setting nsswitch.conf and PAM configuration. In
  fact no configuration of nsswitch.conf or PAM would be done at
  all.
  
  https://fedorahosted.org/freeipa/ticket/2369
  NACK.
  
  According to the original request, authconfig will do
  nsswitch/PAM configuration *after* ipa-client-install run so the
  following check in ipa-client-install will fail with --noac:
  
  +#Check that nss is working properly
  +if not options.on_master:
  +n = 0
  +found = False
  +# Loop for up to 10 seconds to see if nss is working 
  properly.
  +# It can sometimes take a few seconds to connect to the 
  remote provider.
  +# Particulary, SSSD might take longer than 6-8 seconds.
  +while n  10 and not found:
  +try:
  +ipautil.run([getent, passwd, admin])
  +found = True
  +except Exception, e:
  +time.sleep(1)
  +n = n + 1
  
  This check never happens with --noac. I've rechecked the indentation
  (I admit it's badly visible in the patch file) and it's ok.
 OK then. ACK.
 
 Please, someone commit this path as my git trees are a bit in flux due 
 to trusts work and I'm deep in Samba 16-byte session key fixes right 
 now.
 

Pushed to 2.2 and master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Alexander Bokovoy]

On Thu, 23 Feb 2012, Ondrej Hamada wrote:

 Option '--noac' was added. If set, the ipa-client-install will not call
 authconfig for setting nsswitch.conf and PAM configuration. In
 fact no configuration of nsswitch.conf or PAM would be done at
 all.
 
 https://fedorahosted.org/freeipa/ticket/2369
NACK.

According to the original request, authconfig will do 
nsswitch/PAM configuration *after* ipa-client-install run so the 
following check in ipa-client-install will fail with --noac:

 +#Check that nss is working properly
 +if not options.on_master:
 +n = 0
 +found = False
 +# Loop for up to 10 seconds to see if nss is working properly.
 +# It can sometimes take a few seconds to connect to the remote 
 provider.
 +# Particulary, SSSD might take longer than 6-8 seconds.
 +while n  10 and not found:
 +try:
 +ipautil.run([getent, passwd, admin])
 +found = True
 +except Exception, e:
 +time.sleep(1)
 +n = n + 1


-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Ondrej Hamada]

On 02/25/2012 08:30 PM, Alexander Bokovoy wrote:

On Thu, 23 Feb 2012, Ondrej Hamada wrote:


Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration. In
fact no configuration of nsswitch.conf or PAM would be done at
all.

https://fedorahosted.org/freeipa/ticket/2369

NACK.

According to the original request, authconfig will do
nsswitch/PAM configuration *after* ipa-client-install run so the
following check in ipa-client-install will fail with --noac:


+#Check that nss is working properly
+if not options.on_master:
+n = 0
+found = False
+# Loop for up to 10 seconds to see if nss is working properly.
+# It can sometimes take a few seconds to connect to the remote 
provider.
+# Particulary, SSSD might take longer than 6-8 seconds.
+while n  10 and not found:
+try:
+ipautil.run([getent, passwd, admin])
+found = True
+except Exception, e:
+time.sleep(1)
+n = n + 1


This check never happens with --noac. I've rechecked the indentation (I 
admit it's badly visible in the patch file) and it's ok.


--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig

[Ondrej Hamada]

Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration. In
fact no configuration of nsswitch.conf or PAM would be done at
all.

https://fedorahosted.org/freeipa/ticket/2369

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 10bf87ef215642d5899da50f7b74f11b791e6a23 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada oham...@redhat.com
Date: Thu, 23 Feb 2012 17:24:46 +0100
Subject: [PATCH] ipa-client-install not calling authconfig

Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
---
 ipa-client/ipa-install/ipa-client-install |  126 +++--
 1 files changed, 65 insertions(+), 61 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index f5c1efe0686020ce7cad79edfe19908ee3a55a30..36493e0b42de8230e6e8604f292284364885affd 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -90,6 +90,8 @@ def parse_options():
   help=do not configure OpenSSH server)
 basic_group.add_option(--no-dns-sshfp, dest=create_sshfp, default=True, action=store_false,
   help=do not automatically create DNS SSHFP records)
+basic_group.add_option(--noac, dest=no_ac, default=False, action=store_true,
+  help=do not use Authconfig to modify the nsswitch.conf and PAM configuration)
 basic_group.add_option(-f, --force, dest=force, action=store_true,
   default=False, help=force setting of LDAP/Kerberos conf)
 basic_group.add_option(-d, --debug, dest=debug, action=store_true,
@@ -1368,75 +1370,77 @@ def install(options, env, fstore, statestore):
 root_logger.info(%s daemon is not installed, skip configuration % (nscd.service_name))
 
 retcode, conf, filename = (0, None, None)
-# Modify nsswitch/pam stack
-auth_config = ipaservices.authconfig()
-if options.sssd:
-statestore.backup_state('authconfig', 'sssd', True)
-statestore.backup_state('authconfig', 'sssdauth', True)
-auth_config.enable(sssd).\
-enable(sssdauth)
-message = SSSD enabled
-conf = 'SSSD'
-else:
-statestore.backup_state('authconfig', 'ldap', True)
-auth_config.enable(ldap).\
-enable(forcelegacy)
-message = LDAP enabled
 
-if options.mkhomedir:
-statestore.backup_state('authconfig', 'mkhomedir', True)
-auth_config.enable(mkhomedir)
+if not options.no_ac:
+# Modify nsswitch/pam stack
+auth_config = ipaservices.authconfig()
+if options.sssd:
+statestore.backup_state('authconfig', 'sssd', True)
+statestore.backup_state('authconfig', 'sssdauth', True)
+auth_config.enable(sssd).\
+enable(sssdauth)
+message = SSSD enabled
+conf = 'SSSD'
+else:
+statestore.backup_state('authconfig', 'ldap', True)
+auth_config.enable(ldap).\
+enable(forcelegacy)
+message = LDAP enabled
 
-auth_config.add_option(update)
-auth_config.execute()
-print message
+if options.mkhomedir:
+statestore.backup_state('authconfig', 'mkhomedir', True)
+auth_config.enable(mkhomedir)
 
-if not options.sssd:
-#Modify pam to add pam_krb5 only when sssd is not in use
-auth_config.reset()
-statestore.backup_state('authconfig', 'krb5', True)
-auth_config.enable(krb5).\
-add_option(update).\
-add_option(nostart)
+auth_config.add_option(update)
 auth_config.execute()
-print Kerberos 5 enabled
+print message
 
-# Update non-SSSD LDAP configuration after authconfig calls as it would
-# change its configuration otherways
-if not options.sssd:
-for configurer in [configure_ldap_conf, configure_nslcd_conf]:
-(retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__])
-if retcode:
-return CLIENT_INSTALL_ERROR
-if conf:
-print %s configured using configuration file(s) %s % (conf, filename)
+if not options.sssd:
+#Modify pam to add pam_krb5 only when sssd is not in use
+auth_config.reset()
+statestore.backup_state('authconfig', 'krb5', True)
+auth_config.enable(krb5).\
+add_option(update).\
+add_option(nostart)
+auth_config.execute()
+print Kerberos 5 enabled
 
-#Check that nss is working properly
-if