Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/03/2014 08:16 PM, Tomas Babej wrote: The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 On 11/14/2013 12:54 PM, Ana Krivokapic wrote: On 09/26/2013 10:28 AM, Tomas Babej wrote: +if options.no_nisdomain and not options.nisdomain: This should be `if options.no_nisdomain and options.nisdomain:`. +parser.error(--no-nisdomain cannot be used together with --nisdomain) Shouldn't we also revert the nisdomain authconfig setting on client uninstall? This set the NIS domain correctly after the restart. However, it did not set it *before* the restart. Thus, after I installed IPA server/client, NIS domain was not set and thus SUDO would not work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/28/2014 08:42 AM, Martin Kosek wrote: On 03/26/2014 06:46 PM, Martin Kosek wrote: On 03/03/2014 08:16 PM, Tomas Babej wrote: The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 I spoke with initscripts maintainer, applied little pressure and fixed version is now on its way to updates-testing - initscripts-9.51-2.fc20. Martin Tomas, did you test the referred build? If yes, it would be great to give it a karma so that it gets soon to stable update repo: https://admin.fedoraproject.org/updates/FEDORA-2014-4376/initscripts-9.51-2.fc20 Thanks, Martin Yes. I gave the karma, now it should be on its way to stable update repository. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/26/2014 06:46 PM, Martin Kosek wrote: On 03/03/2014 08:16 PM, Tomas Babej wrote: The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 I spoke with initscripts maintainer, applied little pressure and fixed version is now on its way to updates-testing - initscripts-9.51-2.fc20. Martin Tomas, did you test the referred build? If yes, it would be great to give it a karma so that it gets soon to stable update repo: https://admin.fedoraproject.org/updates/FEDORA-2014-4376/initscripts-9.51-2.fc20 Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/03/2014 08:16 PM, Tomas Babej wrote: The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 I spoke with initscripts maintainer, applied little pressure and fixed version is now on its way to updates-testing - initscripts-9.51-2.fc20. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
The updated patch addresses all the mentioned issues.
Also enables systemd's specific domainname service instead of relying
ypbind being present on the system.
Please note that nisdomainname is not configured on boot time at the
moment. The following bug is the cause:
https://bugzilla.redhat.com/show_bug.cgi?id=1071951
On 11/14/2013 12:54 PM, Ana Krivokapic wrote:
On 09/26/2013 10:28 AM, Tomas Babej wrote:
+if options.no_nisdomain and not options.nisdomain:
This should be `if options.no_nisdomain and options.nisdomain:`.
+parser.error(--no-nisdomain cannot be used together with
--nisdomain)
Shouldn't we also revert the nisdomain authconfig setting on client uninstall?
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 3b66934f1dd3167dc56ffa8b4a750a0912a89642 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 25 Sep 2013 13:45:45 +0200
Subject: [PATCH] ipa-client: Set NIS domain name in the installer
Provides two new options for the ipa-client-install:
--nisdomain: specifies the NIS domain name
--no_nisdomain: flag to aviod setting the NIS domain name
In case no --nisdomain is specified and --no_nisdomain flag was
not set, the IPA domain is used.
Manual pages updated.
http://fedorahosted.org/freeipa/ticket/3202
---
ipa-client/ipa-install/ipa-client-install | 65 +++
ipa-client/man/ipa-client-install.1 | 6 +++
ipapython/platform/base/__init__.py | 3 +-
ipapython/platform/fedora16/service.py| 2 +
4 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7cc0c33973fb9bd2113b33da7cb1d450b66a49dd..03679c10d09c64a284e3950a1808887ec52ae5ea 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -126,6 +126,11 @@ def parse_options():
basic_group.add_option(, --force-ntpd, dest=force_ntpd,
action=store_true, default=False,
help=Stop and disable any timedate synchronization services besides ntpd)
+basic_group.add_option(--nisdomain, dest=nisdomain,
+ help=NIS domain name)
+basic_group.add_option(--no-nisdomain, action=store_true, default=False,
+ help=do not configure NIS domain name,
+ dest=no_nisdomain)
basic_group.add_option(--ssh-trust-dns, dest=trust_sshfp, default=False, action=store_true,
help=configure OpenSSH client to trust DNS SSHFP records)
basic_group.add_option(--no-ssh, dest=conf_ssh, default=True, action=store_false,
@@ -195,6 +200,9 @@ def parse_options():
if options.firefox_dir and not options.configure_firefox:
parser.error(--firefox-dir cannot be used without --configure-firefox option)
+if options.no_nisdomain and options.nisdomain:
+parser.error(--no-nisdomain cannot be used together with --nisdomain)
+
return safe_opts, options
def logging_setup(options):
@@ -595,6 +603,7 @@ def uninstall(options, env):
fstore.restore_all_files()
ipautil.restore_hostname(statestore)
+unconfigure_nisdomain()
nscd = ipaservices.knownservices.nscd
nslcd = ipaservices.knownservices.nslcd
@@ -1351,6 +1360,59 @@ def configure_automount(options):
root_logger.info(stdout)
+def configure_nisdomain(options, domain):
+domain = options.nisdomain or domain
+root_logger.info('Configuring %s as NIS domain.' % domain)
+
+nis_domain_name = ''
+
+# First backup the old NIS domain name
+if os.path.exists('/usr/bin/nisdomainname'):
+try:
+nis_domain_name, _, _ = ipautil.run(['/usr/bin/nisdomainname'])
+except CalledProcessError, e:
+pass
+
+statestore.backup_state('network', 'nisdomain', nis_domain_name)
+
+# Backup the state of the domainname service
+statestore.backup_state(domainname, enabled,
+ipaservices.knownservices.domainname.is_enabled())
+
+# Set the new NIS domain name
+set_nisdomain(domain)
+
+# Enable and start the domainname service
+ipaservices.knownservices.domainname.enable()
+ipaservices.knownservices.domainname.start()
+
+
+def unconfigure_nisdomain():
+# Set the nisdomain permanent and current nisdomain configuration as it was
+if statestore.has_state('network'):
+old_nisdomain = statestore.restore_state('network','nisdomain') or ''
+
+if old_nisdomain:
+root_logger.info('Restoring %s as NIS domain.' % old_nisdomain)
+else:
+root_logger.info('Unconfiguring the NIS domain.')
+
+set_nisdomain(old_nisdomain)
+
+# Restore the configuration of the domainname service
+enabled = statestore.restore_state('domainname', 'enabled')
+if not enabled:
+
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 10:28 AM, Tomas Babej wrote: +if options.no_nisdomain and not options.nisdomain: This should be `if options.no_nisdomain and options.nisdomain:`. +parser.error(--no-nisdomain cannot be used together with --nisdomain) Shouldn't we also revert the nisdomain authconfig setting on client uninstall? -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 03:16 PM, Petr Viktorin wrote: On 09/26/2013 02:58 PM, Martin Kosek wrote: On 09/26/2013 02:45 PM, Jan Cholasta wrote: On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain=. We sort of have precedent in `ipa` in multivalued options, leaving those empty deletes the values. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --option=value and --no-option option pair in ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain= may be OK as well. IMO empty option values are awkward; --no-nisdomain is more user-friendly, and can be explained more clearly, even though it needs an additional option. OK, we let this rot on the list for a while. I retest the patch and it still applies and works with the current master. I think we should keep both options, no-nisdomain is more descriptive and an explicit option is more necessary here since we are setting nisdomain by default. Hence I would avoid having to use --nisdomain= to disable setting the nisdomain, since it is rather implicit (even if we commented on it in the option description). Option-nitpicking aside, I think this patch is ready for a proper functional review. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. --nisdomain= or --nisdomain '') should be sufficient for this. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 10:28 AM, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Are you sure that authconfig is the right place to configure nisdomain? # authconfig --nisdomain example.com --update Stopping sssd: [ OK ] # service sssd status sssd is stopped # nisdomainname (none) We also need to verify that netgroups and SUDO support in SSSD will work with the new --nisdomain option. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 12:20 PM, Jan Cholasta wrote: On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. --nisdomain= or --nisdomain '') should be sufficient for this. Honza I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. --nisdomain= or --nisdomain '') should be sufficient for this. Honza I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain=. IMO --no-nisdomain is more consistent with rest of the options. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. --nisdomain= or --nisdomain '') should be sufficient for this. Honza I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain=. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --option=value and --no-option option pair in ipa-client-install, so what consistency are you talking about? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:45 PM, Jan Cholasta wrote: On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain=. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --option=value and --no-option option pair in ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain= may be OK as well. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:58 PM, Martin Kosek wrote: On 09/26/2013 02:45 PM, Jan Cholasta wrote: On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain=. We sort of have precedent in `ipa` in multivalued options, leaving those empty deletes the values. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --option=value and --no-option option pair in ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain= may be OK as well. IMO empty option values are awkward; --no-nisdomain is more user-friendly, and can be explained more clearly, even though it needs an additional option. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
