Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
On 02.06.2016 19:59, Martin Basti wrote: On 31.05.2016 19:19, Robbie Harwood wrote: Alexander Bokovoywrites: On Sat, 28 May 2016, Robbie Harwood wrote: Alexander Bokovoy writes: On Fri, 27 May 2016, Robbie Harwood wrote: Stanislav Laznicka writes: From: Stanislav Laznicka The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? SSSD cannot write to /etc and I don't think we have to change it. Can you elaborate on this? Why can't sssd write the stuff it puts in /var/lib into /etc, or symlink it? Writing to /etc is considered a privilege of a system administrator. A runtime override is typically done outside it, in /run like systemd allows for its configuration for volatile setups and in /var/lib for non-volatile ones. The latter has long been a state of affairs in Linux. Currently SSSD runs under root but it is already made possible to run as non-root user and we intend to switch to that mode in future releases. I guess I don't see a meaningful difference here. We're still writing to /etc when we modify krb5.conf. My reading of the FHS is that this is not an intended use of /var/lib: /var/lib is for state information [0], and the only time the FHS mentions config files is to point out that they go in the /etc tree. Anyway, I've said my piece and won't derail this further. If you want to merge, this is a cosmetic issue and I can live with it. [0]:http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION ACK, this patch works as expected. If nobody is against it, I will push it (tomorrow). Martin^2 Pushed to master: 2026677635c6d4b086670cb9d8f3570bd1b95c27 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
On 31.05.2016 19:19, Robbie Harwood wrote: Alexander Bokovoywrites: On Sat, 28 May 2016, Robbie Harwood wrote: Alexander Bokovoy writes: On Fri, 27 May 2016, Robbie Harwood wrote: Stanislav Laznicka writes: From: Stanislav Laznicka The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? SSSD cannot write to /etc and I don't think we have to change it. Can you elaborate on this? Why can't sssd write the stuff it puts in /var/lib into /etc, or symlink it? Writing to /etc is considered a privilege of a system administrator. A runtime override is typically done outside it, in /run like systemd allows for its configuration for volatile setups and in /var/lib for non-volatile ones. The latter has long been a state of affairs in Linux. Currently SSSD runs under root but it is already made possible to run as non-root user and we intend to switch to that mode in future releases. I guess I don't see a meaningful difference here. We're still writing to /etc when we modify krb5.conf. My reading of the FHS is that this is not an intended use of /var/lib: /var/lib is for state information [0], and the only time the FHS mentions config files is to point out that they go in the /etc tree. Anyway, I've said my piece and won't derail this further. If you want to merge, this is a cosmetic issue and I can live with it. [0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION ACK, this patch works as expected. If nobody is against it, I will push it (tomorrow). Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Alexander Bokovoywrites: > On Sat, 28 May 2016, Robbie Harwood wrote: >> Alexander Bokovoy writes: >>> On Fri, 27 May 2016, Robbie Harwood wrote: Stanislav Laznicka writes: > From: Stanislav Laznicka > > The include of /etc/krb5.conf.d/ is required for crypto-policies > to work properly > > https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? >>> >>> SSSD cannot write to /etc and I don't think we have to change it. >> >> Can you elaborate on this? Why can't sssd write the stuff it puts in >> /var/lib into /etc, or symlink it? > > Writing to /etc is considered a privilege of a system administrator. A > runtime override is typically done outside it, in /run like systemd > allows for its configuration for volatile setups and in /var/lib > for non-volatile ones. The latter has long been a state of affairs in > Linux. > > Currently SSSD runs under root but it is already made possible to run as > non-root user and we intend to switch to that mode in future releases. I guess I don't see a meaningful difference here. We're still writing to /etc when we modify krb5.conf. My reading of the FHS is that this is not an intended use of /var/lib: /var/lib is for state information [0], and the only time the FHS mentions config files is to point out that they go in the /etc tree. Anyway, I've said my piece and won't derail this further. If you want to merge, this is a cosmetic issue and I can live with it. [0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
On Sat, 28 May 2016, Robbie Harwood wrote: Alexander Bokovoywrites: On Fri, 27 May 2016, Robbie Harwood wrote: Stanislav Laznicka writes: From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 27 May 2016 16:12:31 +0200 Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/? Yes, this one. SSSD cannot write to /etc and I don't think we have to change it. Can you elaborate on this? Why can't sssd write the stuff it puts in /var/lib into /etc, or symlink it? Writing to /etc is considered a privilege of a system administrator. A runtime override is typically done outside it, in /run like systemd allows for its configuration for volatile setups and in /var/lib for non-volatile ones. The latter has long been a state of affairs in Linux. Currently SSSD runs under root but it is already made possible to run as non-root user and we intend to switch to that mode in future releases. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Alexander Bokovoywrites: > On Fri, 27 May 2016, Robbie Harwood wrote: >>Stanislav Laznicka writes: >> >>> From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001 >>> From: Stanislav Laznicka >>> Date: Fri, 27 May 2016 16:12:31 +0200 >>> Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf >>> >>> The include of /etc/krb5.conf.d/ is required for crypto-policies to work >>> properly >>> >>> https://fedorahosted.org/freeipa/ticket/5912 >> >> Thank you for working on this. Is the intent on the part of FreeIPA to >> keep a separate, freeipa-speicifc directory? And if so, can I suggest >> that we not do that? > > Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/? Yes, this one. > SSSD cannot write to /etc and I don't think we have to change it. Can you elaborate on this? Why can't sssd write the stuff it puts in /var/lib into /etc, or symlink it? signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
On Fri, 27 May 2016, Robbie Harwood wrote: Stanislav Laznickawrites: From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 27 May 2016 16:12:31 +0200 Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/? SSSD directory is used already by all FreeIPA clients for very long time because SSSD puts several important snippets there: - CA paths and domain_realm information based on the trust topology of FreeIPA - localauth plugin definition for SSSD plugin SSSD cannot write to /etc and I don't think we have to change it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Stanislav Laznickawrites: > From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001 > From: Stanislav Laznicka > Date: Fri, 27 May 2016 16:12:31 +0200 > Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf > > The include of /etc/krb5.conf.d/ is required for crypto-policies to work > properly > > https://fedorahosted.org/freeipa/ticket/5912 Thank you for working on this. Is the intent on the part of FreeIPA to keep a separate, freeipa-speicifc directory? And if so, can I suggest that we not do that? signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
https://fedorahosted.org/freeipa/ticket/5912 From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 27 May 2016 16:12:31 +0200 Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly https://fedorahosted.org/freeipa/ticket/5912 --- client/ipa-client-install| 3 ++- install/share/krb5.conf.template | 1 + ipaplatform/base/paths.py| 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index cff3fbfcdee8690c9466ea339a362edfb151a11a..ddefdbc385b5ac4619debf96610e8a7cdb18fc2e 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -1058,7 +1058,8 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, krbconf.setIndent((""," ","")) opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'}, -{'name':'empty', 'type':'empty'}] +{'name':'empty', 'type':'empty'}, +{'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}] # SSSD include dir if options.sssd: diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 92431d3fde6afecd0e74803e18724379e8746f9b..f8b256aee690def6c415004df948a34d485578b1 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -1,3 +1,4 @@ +includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..336839b71e446bfc459d3bd5065b4c029b312832 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -68,6 +68,7 @@ class BasePathNamespace(object): DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so" IPA_NSSDB_DIR = "/etc/ipa/nssdb" IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt" +COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/" KRB5_CONF = "/etc/krb5.conf" KRB5_KEYTAB = "/etc/krb5.keytab" LDAP_CONF = "/etc/ldap.conf" -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code