Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Martin Basti]

On 02.06.2016 19:59, Martin Basti wrote:




On 31.05.2016 19:19, Robbie Harwood wrote:

Alexander Bokovoy  writes:


On Sat, 28 May 2016, Robbie Harwood wrote:

Alexander Bokovoy  writes:

On Fri, 27 May 2016, Robbie Harwood wrote:

Stanislav Laznicka  writes:

From: Stanislav Laznicka

The include of /etc/krb5.conf.d/ is required for crypto-policies
to work properly

https://fedorahosted.org/freeipa/ticket/5912

Thank you for working on this.  Is the intent on the part of
FreeIPA to keep a separate, freeipa-speicifc directory?  And if so,
can I suggest that we not do that?

SSSD cannot write to /etc and I don't think we have to change it.

Can you elaborate on this?  Why can't sssd write the stuff it puts in
/var/lib into /etc, or symlink it?

Writing to /etc is considered a privilege of a system administrator. A
runtime override is typically done outside it, in /run like systemd
allows for its configuration for volatile setups and in /var/lib
for non-volatile ones. The latter has long been a state of affairs in
Linux.

Currently SSSD runs under root but it is already made possible to run as
non-root user and we intend to switch to that mode in future releases.

I guess I don't see a meaningful difference here.  We're still writing
to /etc when we modify krb5.conf.

My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.

Anyway, I've said my piece and won't derail this further.  If you want
to merge, this is a cosmetic issue and I can live with it.

[0]:http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION


ACK, this patch works as expected. If nobody is against it, I will 
push it (tomorrow).


Martin^2




Pushed to master: 2026677635c6d4b086670cb9d8f3570bd1b95c27

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Martin Basti]

On 31.05.2016 19:19, Robbie Harwood wrote:

Alexander Bokovoy  writes:


On Sat, 28 May 2016, Robbie Harwood wrote:

Alexander Bokovoy  writes:

On Fri, 27 May 2016, Robbie Harwood wrote:

Stanislav Laznicka  writes:

From: Stanislav Laznicka 

The include of /etc/krb5.conf.d/ is required for crypto-policies
to work properly

https://fedorahosted.org/freeipa/ticket/5912

Thank you for working on this.  Is the intent on the part of
FreeIPA to keep a separate, freeipa-speicifc directory?  And if so,
can I suggest that we not do that?

SSSD cannot write to /etc and I don't think we have to change it.

Can you elaborate on this?  Why can't sssd write the stuff it puts in
/var/lib into /etc, or symlink it?

Writing to /etc is considered a privilege of a system administrator. A
runtime override is typically done outside it, in /run like systemd
allows for its configuration for volatile setups and in /var/lib
for non-volatile ones. The latter has long been a state of affairs in
Linux.

Currently SSSD runs under root but it is already made possible to run as
non-root user and we intend to switch to that mode in future releases.

I guess I don't see a meaningful difference here.  We're still writing
to /etc when we modify krb5.conf.

My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.

Anyway, I've said my piece and won't derail this further.  If you want
to merge, this is a cosmetic issue and I can live with it.

[0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION


ACK, this patch works as expected. If nobody is against it, I will push 
it (tomorrow).


Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Robbie Harwood]

Alexander Bokovoy  writes:

> On Sat, 28 May 2016, Robbie Harwood wrote:
>> Alexander Bokovoy  writes:
>>> On Fri, 27 May 2016, Robbie Harwood wrote:
 Stanislav Laznicka  writes:
> From: Stanislav Laznicka 
>
> The include of /etc/krb5.conf.d/ is required for crypto-policies
> to work properly
>
> https://fedorahosted.org/freeipa/ticket/5912

 Thank you for working on this.  Is the intent on the part of
 FreeIPA to keep a separate, freeipa-speicifc directory?  And if so,
 can I suggest that we not do that?
>>>
>>> SSSD cannot write to /etc and I don't think we have to change it.
>>
>> Can you elaborate on this?  Why can't sssd write the stuff it puts in
>> /var/lib into /etc, or symlink it?
>
> Writing to /etc is considered a privilege of a system administrator. A
> runtime override is typically done outside it, in /run like systemd
> allows for its configuration for volatile setups and in /var/lib
> for non-volatile ones. The latter has long been a state of affairs in
> Linux.
>
> Currently SSSD runs under root but it is already made possible to run as
> non-root user and we intend to switch to that mode in future releases.

I guess I don't see a meaningful difference here.  We're still writing
to /etc when we modify krb5.conf.

My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.

Anyway, I've said my piece and won't derail this further.  If you want
to merge, this is a cosmetic issue and I can live with it.

[0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Alexander Bokovoy]

On Sat, 28 May 2016, Robbie Harwood wrote:

Alexander Bokovoy  writes:


On Fri, 27 May 2016, Robbie Harwood wrote:

Stanislav Laznicka  writes:


From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 27 May 2016 16:12:31 +0200
Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf

The include of /etc/krb5.conf.d/ is required for crypto-policies to work 
properly

https://fedorahosted.org/freeipa/ticket/5912


Thank you for working on this.  Is the intent on the part of FreeIPA to
keep a separate, freeipa-speicifc directory?  And if so, can I suggest
that we not do that?


Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/?


Yes, this one.


SSSD cannot write to /etc and I don't think we have to change it.


Can you elaborate on this?  Why can't sssd write the stuff it puts in
/var/lib into /etc, or symlink it?

Writing to /etc is considered a privilege of a system administrator. A
runtime override is typically done outside it, in /run like systemd
allows for its configuration for volatile setups and in /var/lib
for non-volatile ones. The latter has long been a state of affairs in
Linux.

Currently SSSD runs under root but it is already made possible to run as
non-root user and we intend to switch to that mode in future releases.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Robbie Harwood]

Alexander Bokovoy  writes:

> On Fri, 27 May 2016, Robbie Harwood wrote:
>>Stanislav Laznicka  writes:
>>
>>> From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
>>> From: Stanislav Laznicka 
>>> Date: Fri, 27 May 2016 16:12:31 +0200
>>> Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf
>>>
>>> The include of /etc/krb5.conf.d/ is required for crypto-policies to work 
>>> properly
>>>
>>> https://fedorahosted.org/freeipa/ticket/5912
>>
>> Thank you for working on this.  Is the intent on the part of FreeIPA to
>> keep a separate, freeipa-speicifc directory?  And if so, can I suggest
>> that we not do that?
>
> Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/?

Yes, this one.

> SSSD cannot write to /etc and I don't think we have to change it.

Can you elaborate on this?  Why can't sssd write the stuff it puts in
/var/lib into /etc, or symlink it?


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Alexander Bokovoy]

On Fri, 27 May 2016, Robbie Harwood wrote:

Stanislav Laznicka  writes:


From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 27 May 2016 16:12:31 +0200
Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf

The include of /etc/krb5.conf.d/ is required for crypto-policies to work 
properly

https://fedorahosted.org/freeipa/ticket/5912


Thank you for working on this.  Is the intent on the part of FreeIPA to
keep a separate, freeipa-speicifc directory?  And if so, can I suggest
that we not do that?

Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/?

SSSD directory is used already by all FreeIPA clients for very long time
because SSSD puts several important snippets there:
 - CA paths and domain_realm information based on the trust topology of FreeIPA
 - localauth plugin definition for SSSD plugin

SSSD cannot write to /etc and I don't think we have to change it.



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Robbie Harwood]

Stanislav Laznicka  writes:

> From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
> From: Stanislav Laznicka 
> Date: Fri, 27 May 2016 16:12:31 +0200
> Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf
>
> The include of /etc/krb5.conf.d/ is required for crypto-policies to work 
> properly
>
> https://fedorahosted.org/freeipa/ticket/5912

Thank you for working on this.  Is the intent on the part of FreeIPA to
keep a separate, freeipa-speicifc directory?  And if so, can I suggest
that we not do that?


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Stanislav Laznicka]

https://fedorahosted.org/freeipa/ticket/5912

From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 27 May 2016 16:12:31 +0200
Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf

The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912
---
 client/ipa-client-install| 3 ++-
 install/share/krb5.conf.template | 1 +
 ipaplatform/base/paths.py| 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index cff3fbfcdee8690c9466ea339a362edfb151a11a..ddefdbc385b5ac4619debf96610e8a7cdb18fc2e 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -1058,7 +1058,8 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 krbconf.setIndent(("","  ",""))
 
 opts = [{'name':'comment', 'type':'comment', 'value':'File modified by ipa-client-install'},
-{'name':'empty', 'type':'empty'}]
+{'name':'empty', 'type':'empty'},
+{'name':'includedir', 'type':'option', 'value':paths.COMMON_KRB5_CONF_DIR, 'delim':' '}]
 
 # SSSD include dir
 if options.sssd:
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 92431d3fde6afecd0e74803e18724379e8746f9b..f8b256aee690def6c415004df948a34d485578b1 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,3 +1,4 @@
+includedir /etc/krb5.conf.d/
 includedir /var/lib/sss/pubconf/krb5.include.d/
 
 [logging]
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..336839b71e446bfc459d3bd5065b4c029b312832 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -68,6 +68,7 @@ class BasePathNamespace(object):
 DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
 IPA_NSSDB_DIR = "/etc/ipa/nssdb"
 IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
+COMMON_KRB5_CONF_DIR = "/etc/krb5.conf.d/"
 KRB5_CONF = "/etc/krb5.conf"
 KRB5_KEYTAB = "/etc/krb5.keytab"
 LDAP_CONF = "/etc/ldap.conf"
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code