Re: [Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
On 03/03/2014 08:24 PM, Tomas Babej wrote: Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 By the way when I was discussing this ticket with Jan Pazdziora, he had a good suggestion that it would be nice if we have a test for sudo integration. Given that SUDO management in FreeIPA is pretty widely used and given that this ticket now makes it much more easier to configure and use it, it would be nice to make our best to avoid breaking it upstream. Having an integration test which would add some sudo rules, some targeted directly on the given host entry, some targeted on a hostgroup with that entry and then testing if sudo -l gives correct results would be great. If we also test the more complicated SUDO options like -runasuser, -runasgroup with isolated user/group, it would be great. I am not sure if ipatests/test_xmlrpc/test_sudorule_plugin.py should be extended to also do the functional checks or if there should be a separate test, I will leave that up to you and Petr (CCed). Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Ack. Applied against ipa-client-3.0.0-37.el6.x86_64, tried without --no-sudo and sudo was added to sssd.conf's services list and sudoeers added to /etc/nsswitch.conf. Rerun with --uninstall and run again with the --no-sudo parameter, those settings were not longer there. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
On 03/24/2014 02:47 PM, Jan Pazdziora wrote: On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Ack. Applied against ipa-client-3.0.0-37.el6.x86_64, tried without --no-sudo and sudo was added to sssd.conf's services list and sudoeers added to /etc/nsswitch.conf. Rerun with --uninstall and run again with the --no-sudo parameter, those settings were not longer there. Did you also do the functional test? To ack and push this ticket, following scenario needs to work: 1) IPA clients enroll against IPA server without --no-sudo 2) IPA client user logs in, types sudo -l, gets all allowed commands (prerequisite is of course to have sudo commands defined on the IPA server) 3) IPA client reboots, IPA client user logs in, types sudo -l, gets all allowed commands For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done For 3) to work, related systemd service preserving NIS domain name setting needs to be enabled Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: On 03/24/2014 02:47 PM, Jan Pazdziora wrote: On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Ack. Applied against ipa-client-3.0.0-37.el6.x86_64, tried without --no-sudo and sudo was added to sssd.conf's services list and sudoeers added to /etc/nsswitch.conf. Rerun with --uninstall and run again with the --no-sudo parameter, those settings were not longer there. Did you also do the functional test? No. I do not want to get dragged into the discussion of having the correct sssd and sudo and glibc versions and SELinux and stuff. The ticket explicitly talk about setting configuration in config files, which the patch does. To ack and push this ticket, following scenario needs to work: Consumption of those configuration changes is really different story, isn't it? 1) IPA clients enroll against IPA server without --no-sudo 2) IPA client user logs in, types sudo -l, gets all allowed commands (prerequisite is of course to have sudo commands defined on the IPA server) 3) IPA client reboots, IPA client user logs in, types sudo -l, gets all allowed commands For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done For 3) to work, related systemd service preserving NIS domain name setting needs to be enabled With the commit message only talking about configuring sssd, I assume the NIS domain name mentioned in the ticket will be done by some other patch. To me, the patch does what is advertised in the commit message, and is in line with what the ticket asks to be done. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
On 03/24/2014 03:27 PM, Jan Pazdziora wrote: On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: On 03/24/2014 02:47 PM, Jan Pazdziora wrote: On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: Hi, Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Ack. Applied against ipa-client-3.0.0-37.el6.x86_64, tried without --no-sudo and sudo was added to sssd.conf's services list and sudoeers added to /etc/nsswitch.conf. Rerun with --uninstall and run again with the --no-sudo parameter, those settings were not longer there. Did you also do the functional test? No. I do not want to get dragged into the discussion of having the correct sssd and sudo and glibc versions and SELinux and stuff. The ticket explicitly talk about setting configuration in config files, which the patch does. To ack and push this ticket, following scenario needs to work: Consumption of those configuration changes is really different story, isn't it? 1) IPA clients enroll against IPA server without --no-sudo 2) IPA client user logs in, types sudo -l, gets all allowed commands (prerequisite is of course to have sudo commands defined on the IPA server) 3) IPA client reboots, IPA client user logs in, types sudo -l, gets all allowed commands For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done For 3) to work, related systemd service preserving NIS domain name setting needs to be enabled With the commit message only talking about configuring sssd, I assume the NIS domain name mentioned in the ticket will be done by some other patch. To me, the patch does what is advertised in the commit message, and is in line with what the ticket asks to be done. To me, it is not. I see your point that the commit message does not promise that FreeIPA client sudo would work after this change, but as this is the sole purpose of https://fedorahosted.org/freeipa/ticket/3358 and these patches are the final umbrella patches, let us assume that. To sum it up, I would prefer to push all these related patches and close this ticket when it actually works. Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0157] ipa-client-install: Configure sudo to use SSSD as data source
Hi,
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can be disabled
by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 68de0976b010a484fe29505c161bc874fc0d9e50 Mon Sep 17 00:00:00 2001
From: Tomas Babej tomasba...@gmail.com
Date: Thu, 21 Nov 2013 13:09:28 +0100
Subject: [PATCH] ipa-client-install: Configure sudo to use SSSD as data source
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can be disabled
by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358
---
ipa-client/ipa-install/ipa-client-install | 46 +++
ipa-client/man/ipa-client-install.1 | 3 ++
2 files changed, 49 insertions(+)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 03679c10d09c64a284e3950a1808887ec52ae5ea..c20db0816e1d77d1fcda061d58a74d94eea8b9cf 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -137,6 +137,9 @@ def parse_options():
help=do not configure OpenSSH client)
basic_group.add_option(--no-sshd, dest=conf_sshd, default=True, action=store_false,
help=do not configure OpenSSH server)
+basic_group.add_option(--no-sudo, dest=conf_sudo, default=True,
+ action=store_false,
+ help=do not configure SSSD as data source for sudo)
basic_group.add_option(--no-dns-sshfp, dest=create_sshfp, default=True, action=store_false,
help=do not automatically create DNS SSHFP records)
basic_group.add_option(--noac, dest=no_ac, default=False, action=store_true,
@@ -1141,6 +1144,49 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
sssdconfig.activate_service('ssh')
+if options.conf_sudo:
+# Activate the service in the SSSD config
+try:
+sssdconfig.new_service('sudo')
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
+root_logger.error(Unable to activate the SUDO service in
+ SSSD config.)
+
+sssdconfig.activate_service('sudo')
+
+# Backup the nsswitch.conf, we're going to edit it now
+NSSWITCH_CONF = '/etc/nsswitch.conf'
+fstore.backup_file(NSSWITCH_CONF)
+
+conf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer)
+conf.setOptionAssignment(':')
+
+# Determine if nsswitch already contains files for sudoers or not
+sudoers_value = ' sss'
+
+with open('/etc/nsswitch.conf', 'r') as f:
+opts = conf.parse(f)
+option_result = conf.findOpts(opts, 'option', 'sudoers')[1]
+
+if option_result and 'files' in option_result['value']:
+sudoers_value = ' files sss'
+
+# Set sss as data source for sudoers
+opts = [{'name':'sudoers',
+ 'type':'option',
+ 'action':'set',
+ 'value': sudoers_value
+},
+{'name':'empty',
+ 'type':'empty'
+}]
+
+conf.changeConf(NSSWITCH_CONF, opts)
+root_logger.info(Configured %s % NSSWITCH_CONF)
+
+
domain.add_provider('ipa', 'id')
#add discovery domain if client domain different from server domain
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index a7acf58e532d4d39abd6db0bd5c38a74a708ee3e..b3526379f44eec4ada9303c9d3987bc889256118 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -137,6 +137,9 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
+\fB\-\-no\-sudo\fR
+Do not configure SSSD as a data source for sudo.
+.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
--
1.8.5.3
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
