Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/03/2014 08:16 PM, Tomas Babej wrote: > The updated patch addresses all the mentioned issues. > > Also enables systemd's specific domainname service instead of relying > ypbind being present on the system. > > Please note that nisdomainname is not configured on boot time at the > moment. The following bug is the cause: > > https://bugzilla.redhat.com/show_bug.cgi?id=1071951 > > On 11/14/2013 12:54 PM, Ana Krivokapic wrote: >> On 09/26/2013 10:28 AM, Tomas Babej wrote: >>> +if options.no_nisdomain and not options.nisdomain: >> This should be `if options.no_nisdomain and options.nisdomain:`. >>> +parser.error("--no-nisdomain cannot be used together with >>> --nisdomain") >> >> Shouldn't we also revert the nisdomain authconfig setting on client >> uninstall? This set the NIS domain correctly after the restart. However, it did not set it *before* the restart. Thus, after I installed IPA server/client, NIS domain was not set and thus SUDO would not work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/28/2014 08:42 AM, Martin Kosek wrote: > On 03/26/2014 06:46 PM, Martin Kosek wrote: >> On 03/03/2014 08:16 PM, Tomas Babej wrote: >>> The updated patch addresses all the mentioned issues. >>> >>> Also enables systemd's specific domainname service instead of relying >>> ypbind being present on the system. >>> >>> Please note that nisdomainname is not configured on boot time at the >>> moment. The following bug is the cause: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1071951 >> I spoke with initscripts maintainer, applied little pressure and fixed >> version >> is now on its way to updates-testing - initscripts-9.51-2.fc20. >> >> Martin > Tomas, did you test the referred build? If yes, it would be great to give it a > karma so that it gets soon to stable update repo: > > https://admin.fedoraproject.org/updates/FEDORA-2014-4376/initscripts-9.51-2.fc20 > > Thanks, > Martin Yes. I gave the karma, now it should be on its way to stable update repository. > -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/26/2014 06:46 PM, Martin Kosek wrote: > On 03/03/2014 08:16 PM, Tomas Babej wrote: >> The updated patch addresses all the mentioned issues. >> >> Also enables systemd's specific domainname service instead of relying >> ypbind being present on the system. >> >> Please note that nisdomainname is not configured on boot time at the >> moment. The following bug is the cause: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1071951 > > I spoke with initscripts maintainer, applied little pressure and fixed version > is now on its way to updates-testing - initscripts-9.51-2.fc20. > > Martin Tomas, did you test the referred build? If yes, it would be great to give it a karma so that it gets soon to stable update repo: https://admin.fedoraproject.org/updates/FEDORA-2014-4376/initscripts-9.51-2.fc20 Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 03/03/2014 08:16 PM, Tomas Babej wrote: The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 I spoke with initscripts maintainer, applied little pressure and fixed version is now on its way to updates-testing - initscripts-9.51-2.fc20. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
The updated patch addresses all the mentioned issues. Also enables systemd's specific domainname service instead of relying ypbind being present on the system. Please note that nisdomainname is not configured on boot time at the moment. The following bug is the cause: https://bugzilla.redhat.com/show_bug.cgi?id=1071951 On 11/14/2013 12:54 PM, Ana Krivokapic wrote: > On 09/26/2013 10:28 AM, Tomas Babej wrote: >> +if options.no_nisdomain and not options.nisdomain: > This should be `if options.no_nisdomain and options.nisdomain:`. >> +parser.error("--no-nisdomain cannot be used together with >> --nisdomain") > > Shouldn't we also revert the nisdomain authconfig setting on client uninstall? > -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org >From 3b66934f1dd3167dc56ffa8b4a750a0912a89642 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 25 Sep 2013 13:45:45 +0200 Subject: [PATCH] ipa-client: Set NIS domain name in the installer Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 --- ipa-client/ipa-install/ipa-client-install | 65 +++ ipa-client/man/ipa-client-install.1 | 6 +++ ipapython/platform/base/__init__.py | 3 +- ipapython/platform/fedora16/service.py| 2 + 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7cc0c33973fb9bd2113b33da7cb1d450b66a49dd..03679c10d09c64a284e3950a1808887ec52ae5ea 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -126,6 +126,11 @@ def parse_options(): basic_group.add_option("", "--force-ntpd", dest="force_ntpd", action="store_true", default=False, help="Stop and disable any time&date synchronization services besides ntpd") +basic_group.add_option("--nisdomain", dest="nisdomain", + help="NIS domain name") +basic_group.add_option("--no-nisdomain", action="store_true", default=False, + help="do not configure NIS domain name", + dest="no_nisdomain") basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", help="configure OpenSSH client to trust DNS SSHFP records") basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false", @@ -195,6 +200,9 @@ def parse_options(): if options.firefox_dir and not options.configure_firefox: parser.error("--firefox-dir cannot be used without --configure-firefox option") +if options.no_nisdomain and options.nisdomain: +parser.error("--no-nisdomain cannot be used together with --nisdomain") + return safe_opts, options def logging_setup(options): @@ -595,6 +603,7 @@ def uninstall(options, env): fstore.restore_all_files() ipautil.restore_hostname(statestore) +unconfigure_nisdomain() nscd = ipaservices.knownservices.nscd nslcd = ipaservices.knownservices.nslcd @@ -1351,6 +1360,59 @@ def configure_automount(options): root_logger.info(stdout) +def configure_nisdomain(options, domain): +domain = options.nisdomain or domain +root_logger.info('Configuring %s as NIS domain.' % domain) + +nis_domain_name = '' + +# First backup the old NIS domain name +if os.path.exists('/usr/bin/nisdomainname'): +try: +nis_domain_name, _, _ = ipautil.run(['/usr/bin/nisdomainname']) +except CalledProcessError, e: +pass + +statestore.backup_state('network', 'nisdomain', nis_domain_name) + +# Backup the state of the domainname service +statestore.backup_state("domainname", "enabled", +ipaservices.knownservices.domainname.is_enabled()) + +# Set the new NIS domain name +set_nisdomain(domain) + +# Enable and start the domainname service +ipaservices.knownservices.domainname.enable() +ipaservices.knownservices.domainname.start() + + +def unconfigure_nisdomain(): +# Set the nisdomain permanent and current nisdomain configuration as it was +if statestore.has_state('network'): +old_nisdomain = statestore.restore_state('network','nisdomain') or '' + +if old_nisdomain: +root_logger.info('Restoring %s as NIS domain.' % old_nisdomain) +else: +root_logger.info('Unconfiguring the NIS domain.') + +set_nisdomain(old_nisdomain) + +# Restore the configuration of the domainname service +enabled = statestore.restore_state('domainname', 'enab
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 10:28 AM, Tomas Babej wrote: > +if options.no_nisdomain and not options.nisdomain: This should be `if options.no_nisdomain and options.nisdomain:`. > +parser.error("--no-nisdomain cannot be used together with > --nisdomain") Shouldn't we also revert the nisdomain authconfig setting on client uninstall? -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 03:16 PM, Petr Viktorin wrote: On 09/26/2013 02:58 PM, Martin Kosek wrote: On 09/26/2013 02:45 PM, Jan Cholasta wrote: On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain="". We sort of have precedent in `ipa` in multivalued options, leaving those empty deletes the values. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --= and --no- option pair in ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain="" may be OK as well. IMO empty option values are awkward; --no-nisdomain is more user-friendly, and can be explained more clearly, even though it needs an additional option. OK, we let this rot on the list for a while. I retest the patch and it still applies and works with the current master. I think we should keep both options, no-nisdomain is more descriptive and an explicit option is more necessary here since we are setting nisdomain by default. Hence I would avoid having to use --nisdomain="" to disable setting the nisdomain, since it is rather implicit (even if we commented on it in the option description). Option-nitpicking aside, I think this patch is ready for a proper functional review. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:58 PM, Martin Kosek wrote: On 09/26/2013 02:45 PM, Jan Cholasta wrote: On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain="". We sort of have precedent in `ipa` in multivalued options, leaving those empty deletes the values. I have seen concerns about the number of ipa-client-install options in the past (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --= and --no- option pair in ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain="" may be OK as well. IMO empty option values are awkward; --no-nisdomain is more user-friendly, and can be explained more clearly, even though it needs an additional option. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:45 PM, Jan Cholasta wrote: > On 26.9.2013 14:38, Martin Kosek wrote: >> On 09/26/2013 02:28 PM, Tomas Babej wrote: >>> On 09/26/2013 12:20 PM, Jan Cholasta wrote: ... >>> I just found --no-nisdomain more descriptive and explicit. If there is a >>> consensus, I can remove it. >>> >> >> I am not aware of any precedent that would warrant --nisdomain="". > > I have seen concerns about the number of ipa-client-install options in the > past > (not by me). IMHO, we are currently OK on this front. Having options categorized in sections, as we already do, helps. >> IMO --no-nisdomain is more consistent with rest of the options. > > I don't see any other --= and --no- option pair in > ipa-client-install, so what consistency are you talking about? I was referring to --no-ssh, --no-ntp and similar. But it is true that these rather disable entire features than delete a value. I do not punt on this, --nidomain="" may be OK as well. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 26.9.2013 14:38, Martin Kosek wrote: On 09/26/2013 02:28 PM, Tomas Babej wrote: On 09/26/2013 12:20 PM, Jan Cholasta wrote: On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. "--nisdomain=" or "--nisdomain ''") should be sufficient for this. Honza I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. I am not aware of any precedent that would warrant --nisdomain="". I have seen concerns about the number of ipa-client-install options in the past (not by me). IMO --no-nisdomain is more consistent with rest of the options. I don't see any other --= and --no- option pair in ipa-client-install, so what consistency are you talking about? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:28 PM, Tomas Babej wrote: > On 09/26/2013 12:20 PM, Jan Cholasta wrote: >> On 26.9.2013 10:28, Tomas Babej wrote: >>> Hi, >>> >>> Provides two new options for the ipa-client-install: >>> --nisdomain: specifies the NIS domain name >>> --no_nisdomain: flag to aviod setting the NIS domain name >>> >>> In case no --nisdomain is specified and --no_nisdomain flag was >>> not set, the IPA domain is used. >>> >>> Manual pages updated. >>> >>> http://fedorahosted.org/freeipa/ticket/3202 >>> >>> Design page: >>> >>> http://www.freeipa.org/page/V3_Minor_Enhancements >>> >> >> Is the --no-nisdomain option necessary? IMO --nisdomain with empty value >> (i.e. "--nisdomain=" or "--nisdomain ''") should be sufficient for this. >> >> Honza >> > > I just found --no-nisdomain more descriptive and explicit. If there is a > consensus, I can remove it. > I am not aware of any precedent that would warrant --nisdomain="". IMO --no-nisdomain is more consistent with rest of the options. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 12:20 PM, Jan Cholasta wrote: On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. "--nisdomain=" or "--nisdomain ''") should be sufficient for this. Honza I just found --no-nisdomain more descriptive and explicit. If there is a consensus, I can remove it. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 02:02 PM, Martin Kosek wrote: On 09/26/2013 10:28 AM, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Are you sure that authconfig is the right place to configure nisdomain? # authconfig --nisdomain example.com --update Stopping sssd: [ OK ] # service sssd status sssd is stopped # nisdomainname (none) We also need to verify that netgroups and SUDO support in SSSD will work with the new --nisdomain option. Martin We figured out with Martin that this is specific behaviour on the RHEL 6.4, on F19 I did not see sssd service being stopped. For nisdomainname command to read the configuration though, according to this Red Hat Access article you need to start ypbind service. https://access.redhat.com/site/articles/2278 This way I got it working on the F19. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 09/26/2013 10:28 AM, Tomas Babej wrote: > Hi, > > Provides two new options for the ipa-client-install: > --nisdomain: specifies the NIS domain name > --no_nisdomain: flag to aviod setting the NIS domain name > > In case no --nisdomain is specified and --no_nisdomain flag was > not set, the IPA domain is used. > > Manual pages updated. > > http://fedorahosted.org/freeipa/ticket/3202 > > Design page: > > http://www.freeipa.org/page/V3_Minor_Enhancements > Are you sure that authconfig is the right place to configure nisdomain? # authconfig --nisdomain example.com --update Stopping sssd: [ OK ] # service sssd status sssd is stopped # nisdomainname (none) We also need to verify that netgroups and SUDO support in SSSD will work with the new --nisdomain option. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0113] ipa-client: Set NIS domain name in the installer
On 26.9.2013 10:28, Tomas Babej wrote: Hi, Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Design page: http://www.freeipa.org/page/V3_Minor_Enhancements Is the --no-nisdomain option necessary? IMO --nisdomain with empty value (i.e. "--nisdomain=" or "--nisdomain ''") should be sufficient for this. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel