Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
On Sat, 25 Feb 2012, Ondrej Hamada wrote: On 02/25/2012 08:30 PM, Alexander Bokovoy wrote: On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 This check never happens with --noac. I've rechecked the indentation (I admit it's badly visible in the patch file) and it's ok. OK then. ACK. Please, someone commit this path as my git trees are a bit in flux due to trusts work and I'm deep in Samba 16-byte session key fixes right now. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
Alexander Bokovoy wrote: On Sat, 25 Feb 2012, Ondrej Hamada wrote: On 02/25/2012 08:30 PM, Alexander Bokovoy wrote: On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 This check never happens with --noac. I've rechecked the indentation (I admit it's badly visible in the patch file) and it's ok. OK then. ACK. Please, someone commit this path as my git trees are a bit in flux due to trusts work and I'm deep in Samba 16-byte session key fixes right now. Simo pushed this to master and ipa-2-2 I added --noac to the ipa-client-install man page and pushed that under the 1-liner rule. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
On Mon, 2012-03-05 at 16:04 +0200, Alexander Bokovoy wrote: On Sat, 25 Feb 2012, Ondrej Hamada wrote: On 02/25/2012 08:30 PM, Alexander Bokovoy wrote: On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 This check never happens with --noac. I've rechecked the indentation (I admit it's badly visible in the patch file) and it's ok. OK then. ACK. Please, someone commit this path as my git trees are a bit in flux due to trusts work and I'm deep in Samba 16-byte session key fixes right now. Pushed to 2.2 and master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
On 02/25/2012 08:30 PM, Alexander Bokovoy wrote: On Thu, 23 Feb 2012, Ondrej Hamada wrote: Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 NACK. According to the original request, authconfig will do nsswitch/PAM configuration *after* ipa-client-install run so the following check in ipa-client-install will fail with --noac: +#Check that nss is working properly +if not options.on_master: +n = 0 +found = False +# Loop for up to 10 seconds to see if nss is working properly. +# It can sometimes take a few seconds to connect to the remote provider. +# Particulary, SSSD might take longer than 6-8 seconds. +while n 10 and not found: +try: +ipautil.run([getent, passwd, admin]) +found = True +except Exception, e: +time.sleep(1) +n = n + 1 This check never happens with --noac. I've rechecked the indentation (I admit it's badly visible in the patch file) and it's ok. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 13 ipa-client-install not calling authconfig
Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. In fact no configuration of nsswitch.conf or PAM would be done at all. https://fedorahosted.org/freeipa/ticket/2369 -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada From 10bf87ef215642d5899da50f7b74f11b791e6a23 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada oham...@redhat.com Date: Thu, 23 Feb 2012 17:24:46 +0100 Subject: [PATCH] ipa-client-install not calling authconfig Option '--noac' was added. If set, the ipa-client-install will not call authconfig for setting nsswitch.conf and PAM configuration. https://fedorahosted.org/freeipa/ticket/2369 --- ipa-client/ipa-install/ipa-client-install | 126 +++-- 1 files changed, 65 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index f5c1efe0686020ce7cad79edfe19908ee3a55a30..36493e0b42de8230e6e8604f292284364885affd 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -90,6 +90,8 @@ def parse_options(): help=do not configure OpenSSH server) basic_group.add_option(--no-dns-sshfp, dest=create_sshfp, default=True, action=store_false, help=do not automatically create DNS SSHFP records) +basic_group.add_option(--noac, dest=no_ac, default=False, action=store_true, + help=do not use Authconfig to modify the nsswitch.conf and PAM configuration) basic_group.add_option(-f, --force, dest=force, action=store_true, default=False, help=force setting of LDAP/Kerberos conf) basic_group.add_option(-d, --debug, dest=debug, action=store_true, @@ -1368,75 +1370,77 @@ def install(options, env, fstore, statestore): root_logger.info(%s daemon is not installed, skip configuration % (nscd.service_name)) retcode, conf, filename = (0, None, None) -# Modify nsswitch/pam stack -auth_config = ipaservices.authconfig() -if options.sssd: -statestore.backup_state('authconfig', 'sssd', True) -statestore.backup_state('authconfig', 'sssdauth', True) -auth_config.enable(sssd).\ -enable(sssdauth) -message = SSSD enabled -conf = 'SSSD' -else: -statestore.backup_state('authconfig', 'ldap', True) -auth_config.enable(ldap).\ -enable(forcelegacy) -message = LDAP enabled -if options.mkhomedir: -statestore.backup_state('authconfig', 'mkhomedir', True) -auth_config.enable(mkhomedir) +if not options.no_ac: +# Modify nsswitch/pam stack +auth_config = ipaservices.authconfig() +if options.sssd: +statestore.backup_state('authconfig', 'sssd', True) +statestore.backup_state('authconfig', 'sssdauth', True) +auth_config.enable(sssd).\ +enable(sssdauth) +message = SSSD enabled +conf = 'SSSD' +else: +statestore.backup_state('authconfig', 'ldap', True) +auth_config.enable(ldap).\ +enable(forcelegacy) +message = LDAP enabled -auth_config.add_option(update) -auth_config.execute() -print message +if options.mkhomedir: +statestore.backup_state('authconfig', 'mkhomedir', True) +auth_config.enable(mkhomedir) -if not options.sssd: -#Modify pam to add pam_krb5 only when sssd is not in use -auth_config.reset() -statestore.backup_state('authconfig', 'krb5', True) -auth_config.enable(krb5).\ -add_option(update).\ -add_option(nostart) +auth_config.add_option(update) auth_config.execute() -print Kerberos 5 enabled +print message -# Update non-SSSD LDAP configuration after authconfig calls as it would -# change its configuration otherways -if not options.sssd: -for configurer in [configure_ldap_conf, configure_nslcd_conf]: -(retcode, conf, filename) = configurer(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options, nosssd_files[configurer.__name__]) -if retcode: -return CLIENT_INSTALL_ERROR -if conf: -print %s configured using configuration file(s) %s % (conf, filename) +if not options.sssd: +#Modify pam to add pam_krb5 only when sssd is not in use +auth_config.reset() +statestore.backup_state('authconfig', 'krb5', True) +auth_config.enable(krb5).\ +add_option(update).\ +add_option(nostart) +auth_config.execute() +print Kerberos 5 enabled -#Check that nss is working properly -if