Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On 03/05/17 11:47, Timo Aaltonen wrote: > > pam-auth-update configures pam, there's nothing else to be configured.. > I just ran ipa-client-install on Ubuntu zesty with freeipa-client > 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: > > services = nss, sudo, pam, ssh > > Do you get the same for 4.4.3-3 (the version in Debian experimental, AFAICT) on sid? I don't :-(. Command line: ipa-client-install --hostname `hostname` --no-ssh --no-sshd --no-nisdomain Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On 03.03.2017 16:53, Rob Crittenden wrote: > Harald Dunkel wrote: >> On 03/03/17 10:14, Jakub Hrozek wrote: >>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: This is systemd-only? Wouldn't it be better to create a working sssd.conf, no matter what? >>> >>> It is up to whoever is creating the sssd.conf. As I said, the change is >>> backwards-compatible. If you want the services to be started by sssd, >>> then list them in the services line. If you want to have them started on >>> demand and have a simpler configuration, you rely on the systemd services >>> manager. >>> >> >> Understood. I will try 1.15.1 as soon as possible. >> >> Reading ipa-client-install it appears to me that the other >> services haven't been omitted on purpose. I have the >> impression that nss and pam have simply been forgotten. >> >> sssd's ssh service is defined only if ipa-client-install >> is allowed to touch the ssh or sshd configuration, but I >> have *no* idea why there is such a correlation. >> >> Would somebody mind to look into this? > > This is managed by authconfig on Fedora/RHEL systems. Not sure what > Debian does in this regard. Timo? pam-auth-update configures pam, there's nothing else to be configured.. I just ran ipa-client-install on Ubuntu zesty with freeipa-client 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: services = nss, sudo, pam, ssh -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
Harald Dunkel wrote: > On 03/03/17 10:14, Jakub Hrozek wrote: >> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >>> >>> This is systemd-only? >>> >>> Wouldn't it be better to create a working sssd.conf, no matter >>> what? >> >> It is up to whoever is creating the sssd.conf. As I said, the change is >> backwards-compatible. If you want the services to be started by sssd, >> then list them in the services line. If you want to have them started on >> demand and have a simpler configuration, you rely on the systemd services >> manager. >> > > Understood. I will try 1.15.1 as soon as possible. > > Reading ipa-client-install it appears to me that the other > services haven't been omitted on purpose. I have the > impression that nss and pam have simply been forgotten. > > sssd's ssh service is defined only if ipa-client-install > is allowed to touch the ssh or sshd configuration, but I > have *no* idea why there is such a correlation. > > Would somebody mind to look into this? This is managed by authconfig on Fedora/RHEL systems. Not sure what Debian does in this regard. Timo? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On 03/03/17 10:14, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >> >> This is systemd-only? >> >> Wouldn't it be better to create a working sssd.conf, no matter >> what? > > It is up to whoever is creating the sssd.conf. As I said, the change is > backwards-compatible. If you want the services to be started by sssd, > then list them in the services line. If you want to have them started on > demand and have a simpler configuration, you rely on the systemd services > manager. > Understood. I will try 1.15.1 as soon as possible. Reading ipa-client-install it appears to me that the other services haven't been omitted on purpose. I have the impression that nss and pam have simply been forgotten. sssd's ssh service is defined only if ipa-client-install is allowed to touch the ssh or sshd configuration, but I have *no* idea why there is such a correlation. Would somebody mind to look into this? Thanx very much Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: > Hi Jakub, > > On 03/03/17 09:32, Jakub Hrozek wrote: > > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > >> Hi folks, > >> > >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > >> Debian Stretch > > ~~ > > This is important I guess. > > > > Since SSSD 1.15, SSSD allows to socket-activate the services, so it is > > no longer required to have them explicitly listed in the services line > > of the sssd section. But: > > - there were some nasty bugs in the first version of the socket > > activation. We will be releasing 1.15.1 today to address those > > issues > > - the sockets must be enabled (systemctl status sssd-nss.socket). I > > understand Debian is doing this but I'm neither Debian user nor > > developer. I would suggest to ask on some Debian-specific forum or > > file a bug report if the resulting configurationd doesn't work. > > > > This is systemd-only? > > Wouldn't it be better to create a working sssd.conf, no matter > what? It is up to whoever is creating the sssd.conf. As I said, the change is backwards-compatible. If you want the services to be started by sssd, then list them in the services line. If you want to have them started on demand and have a simpler configuration, you rely on the systemd services manager. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
Hi Jakub, On 03/03/17 09:32, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: >> Hi folks, >> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on >> Debian Stretch > ~~ > This is important I guess. > > Since SSSD 1.15, SSSD allows to socket-activate the services, so it is > no longer required to have them explicitly listed in the services line > of the sssd section. But: > - there were some nasty bugs in the first version of the socket > activation. We will be releasing 1.15.1 today to address those > issues > - the sockets must be enabled (systemctl status sssd-nss.socket). I > understand Debian is doing this but I'm neither Debian user nor > developer. I would suggest to ask on some Debian-specific forum or > file a bug report if the resulting configurationd doesn't work. > This is systemd-only? Wouldn't it be better to create a working sssd.conf, no matter what? Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~ This is important I guess. Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them explicitly listed in the services line of the sssd section. But: - there were some nasty bugs in the first version of the socket activation. We will be releasing 1.15.1 today to address those issues - the sockets must be enabled (systemctl status sssd-nss.socket). I understand Debian is doing this but I'm neither Debian user nor developer. I would suggest to ask on some Debian-specific forum or file a bug report if the resulting configurationd doesn't work. > ipa-client-install creates a bad sssd.conf file, e.g. > > [domain/example.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = example.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = stretch1.vs.example.com > chpass_provider = ipa > ipa_server = _srv_, ipa1.example.com > dns_discovery_domain = example.com > [sssd] > domains = example.com > services = sudo btw I find it strange that sudo is listed. I would expect either all or no services to be listed. The feature is backwards-compatible, so if you list the services explicitly, the sssd process would still start them explicitly, just as it did with previous versions. > [sudo] > > > Esp. the services for nss, pam and ssh are not setup. Is this > as expected? > > > Every helpful comment is highly appreciated. > Harri > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-client-install generates bad sssd.conf
Hi folks, running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian Stretch ipa-client-install creates a bad sssd.conf file, e.g. [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = stretch1.vs.example.com chpass_provider = ipa ipa_server = _srv_, ipa1.example.com dns_discovery_domain = example.com [sssd] domains = example.com services = sudo [sudo] Esp. the services for nss, pam and ssh are not setup. Is this as expected? Every helpful comment is highly appreciated. Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project