Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2017-05-09 Thread Rob Crittenden 
Prasun Gera wrote:
> Just writing to say that the automount scripts still seem to be quite
> broken in RHEL 7.3. I did a couple of client installs recently,
> and ipa-client-automount --install completed successfully, but didn't
> add sss to /etc/nsswitch.conf. By now, I've got used to this pattern. So
> I look for the presence or absence of sss in nsswitch.conf after running
> any of these scripts, since that seems to be the most common issue.

https://bugzilla.redhat.com/show_bug.cgi?id=1392540

rob

> 
> On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy  > wrote:
> 
> On Wed, 02 Sep 2015, Prasun Gera wrote:
> 
> I have zero confidence in any of the install and uninstall
> scripts. And
> this is on RHEL systems. On unofficial ones like Ubuntu, things
> are even
> more broken. I really like freeipa, but so far even in a
> smallish lab
> environment, it has been a nightmare. I am really tempted to
> just go back
> to NIS. Does anyone have any ideas or proposals for making
> things more
> robust ? At the very least, I think that these sort of
> modifications to
> system files should only happen with package install/removal.
> Any changes
> that ipa's scripts do should be local to ipa's internal state.
> Better would
> be to have an internal ipa database sort of thing which keeps
> track of what
> the current state is so that even if a script dies, which has
> happened
> often, the next attempt reads the database and figures out what
> happened
> earlier.
> 
> File bugs with enough details. It is the only reliable way to fix any
> issues where environments differ. Install/uninstall scripts work for
> fresh installs in RHEL and Fedora because this is what is tested. If you
> have repurposed machines from some other setups, things might differ and
> only you know what is in your environment.
> 
> That's not bad or good, that's just different -- the more different
> environments we see, more robust code can be added. People are
> infinitely more clever than computers when it comes to configuration
> files' format mangling.
> 
> I've seen multiple cases where a claim of 'ipa scripts broke my
> configuration' was later retracted saying that puppet or other SCM run
> afterwards did these changes. That just happen, if there are many
> elephants dancing in the room, a careful coordination is always a good
> idea.
> 
> Coming back to your issues, please file bugs -- either upstream or
> downstream, via distributions, whatever way is more suitable to you.
> Contributing 'broken' config files would be good too.
> 
> 
> -- 
> / Alexander Bokovoy
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2017-05-09 Thread Prasun Gera 
Just writing to say that the automount scripts still seem to be quite
broken in RHEL 7.3. I did a couple of client installs recently, and
ipa-client-automount
--install completed successfully, but didn't add sss to /etc/nsswitch.conf.
By now, I've got used to this pattern. So I look for the presence or
absence of sss in nsswitch.conf after running any of these scripts, since
that seems to be the most common issue.

On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy 
wrote:

> On Wed, 02 Sep 2015, Prasun Gera wrote:
>
>> I have zero confidence in any of the install and uninstall scripts. And
>> this is on RHEL systems. On unofficial ones like Ubuntu, things are even
>> more broken. I really like freeipa, but so far even in a smallish lab
>> environment, it has been a nightmare. I am really tempted to just go back
>> to NIS. Does anyone have any ideas or proposals for making things more
>> robust ? At the very least, I think that these sort of modifications to
>> system files should only happen with package install/removal. Any changes
>> that ipa's scripts do should be local to ipa's internal state. Better
>> would
>> be to have an internal ipa database sort of thing which keeps track of
>> what
>> the current state is so that even if a script dies, which has happened
>> often, the next attempt reads the database and figures out what happened
>> earlier.
>>
> File bugs with enough details. It is the only reliable way to fix any
> issues where environments differ. Install/uninstall scripts work for
> fresh installs in RHEL and Fedora because this is what is tested. If you
> have repurposed machines from some other setups, things might differ and
> only you know what is in your environment.
>
> That's not bad or good, that's just different -- the more different
> environments we see, more robust code can be added. People are
> infinitely more clever than computers when it comes to configuration
> files' format mangling.
>
> I've seen multiple cases where a claim of 'ipa scripts broke my
> configuration' was later retracted saying that puppet or other SCM run
> afterwards did these changes. That just happen, if there are many
> elephants dancing in the room, a careful coordination is always a good
> idea.
>
> Coming back to your issues, please file bugs -- either upstream or
> downstream, via distributions, whatever way is more suitable to you.
> Contributing 'broken' config files would be good too.
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Alexander Bokovoy 

On Wed, 02 Sep 2015, Prasun Gera wrote:

I have zero confidence in any of the install and uninstall scripts. And
this is on RHEL systems. On unofficial ones like Ubuntu, things are even
more broken. I really like freeipa, but so far even in a smallish lab
environment, it has been a nightmare. I am really tempted to just go back
to NIS. Does anyone have any ideas or proposals for making things more
robust ? At the very least, I think that these sort of modifications to
system files should only happen with package install/removal. Any changes
that ipa's scripts do should be local to ipa's internal state. Better would
be to have an internal ipa database sort of thing which keeps track of what
the current state is so that even if a script dies, which has happened
often, the next attempt reads the database and figures out what happened
earlier.

File bugs with enough details. It is the only reliable way to fix any
issues where environments differ. Install/uninstall scripts work for
fresh installs in RHEL and Fedora because this is what is tested. If you
have repurposed machines from some other setups, things might differ and
only you know what is in your environment.

That's not bad or good, that's just different -- the more different
environments we see, more robust code can be added. People are
infinitely more clever than computers when it comes to configuration
files' format mangling.

I've seen multiple cases where a claim of 'ipa scripts broke my
configuration' was later retracted saying that puppet or other SCM run
afterwards did these changes. That just happen, if there are many
elephants dancing in the room, a careful coordination is always a good
idea.

Coming back to your issues, please file bugs -- either upstream or
downstream, via distributions, whatever way is more suitable to you.
Contributing 'broken' config files would be good too.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Jakub Hrozek 
On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote:
> FYI, I think the culprit (at least one of) is ipa-client-automount
> --uninstall. This removes sss entirely from nssswitch, not just from the
> automount section.

Hmm, I haven't tested that but it sounds like a bug.. I would expect
automount uninstall to touch my passwd or group database..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Prasun Gera 
I have zero confidence in any of the install and uninstall scripts. And
this is on RHEL systems. On unofficial ones like Ubuntu, things are even
more broken. I really like freeipa, but so far even in a smallish lab
environment, it has been a nightmare. I am really tempted to just go back
to NIS. Does anyone have any ideas or proposals for making things more
robust ? At the very least, I think that these sort of modifications to
system files should only happen with package install/removal. Any changes
that ipa's scripts do should be local to ipa's internal state. Better would
be to have an internal ipa database sort of thing which keeps track of what
the current state is so that even if a script dies, which has happened
often, the next attempt reads the database and figures out what happened
earlier.

On Wed, Sep 2, 2015 at 11:32 PM, Jakub Hrozek  wrote:

> On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote:
> > FYI, I think the culprit (at least one of) is ipa-client-automount
> > --uninstall. This removes sss entirely from nssswitch, not just from the
> > automount section.
>
> Hmm, I haven't tested that but it sounds like a bug.. I would expect
> automount uninstall to touch my passwd or group database..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-02 Thread Prasun Gera 
FYI, I think the culprit (at least one of) is ipa-client-automount
--uninstall. This removes sss entirely from nssswitch, not just from the
automount section.

On Tue, Sep 1, 2015 at 11:56 AM, Prasun Gera  wrote:

> So I've again spent a couple of hours debugging a very similar issue.
> Client install would seemingly pass, but with "Unable to find 'admin' user
> with 'getent passwd admin@domain'!" at the end. And nobody would be able
> to authenticate. The reason was that /etc/nsswitch.conf wasn't updated. sss
> wasn't added to it.  Wading through his thread
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00538.html
> provided some hints. I have no idea why it did that, but as I have
> experienced before, modifying critical system files this way from python
> scripts which don't have proper transnactional support is very dangerous. I
> suspect that this has something to do with a prior failed install or
> uninstall attempt which left it in an inconsistent state. Is it possible to
> move from this backup-modify-restore approach to critical files to
> something more robust which has transnational guarantees ?
>
> On Sat, Jun 27, 2015 at 6:26 AM, Dmitri Pal  wrote:
>
>> On 06/24/2015 04:31 AM, Jakub Hrozek wrote:
>>
>>> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote:
>>>
 Thanks. It's good to know that it is fixed upstream. For discussion
 though,
 are any enhancements planned for dealing with installation/removal of
 ipa ?

>>> Not sure, but please file bugs as you see them.
>>>
>>> Yes, please be more specific . The bugs that were mentioned by Jakub are
>> making its way into downstream. If there are any other issues you are
>> concerned about please let us know.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Director of Engineering for IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-27 Thread Dmitri Pal 

On 06/24/2015 04:31 AM, Jakub Hrozek wrote:

On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote:

Thanks. It's good to know that it is fixed upstream. For discussion though,
are any enhancements planned for dealing with installation/removal of ipa ?

Not sure, but please file bugs as you see them.

Yes, please be more specific . The bugs that were mentioned by Jakub are 
making its way into downstream. If there are any other issues you are 
concerned about please let us know.


--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-24 Thread Prasun Gera 
Thanks. It's good to know that it is fixed upstream. For discussion though,
are any enhancements planned for dealing with installation/removal of ipa ?

On Wed, Jun 24, 2015 at 12:49 AM, Jakub Hrozek jhro...@redhat.com wrote:

 On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote:
  After spending a better part of the day, the culprit was this line in
  nsswitch.conf:
 
  sudoers: files sss sss

 Known ipa-client-install bug, fixed.

 
  It turns out that the extra sss left behind is sufficient to make any
 sudo
  command hang. Easy to reproduce too.

 Known sudo bug, fixed in upstream and making its way into downstreams:
 https://bugzilla.redhat.com/show_bug.cgi?id=1133657
 https://bugzilla.redhat.com/show_bug.cgi?id=1147498

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-24 Thread Jakub Hrozek 
On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote:
 After spending a better part of the day, the culprit was this line in
 nsswitch.conf:
 
 sudoers: files sss sss

Known ipa-client-install bug, fixed.

 
 It turns out that the extra sss left behind is sufficient to make any sudo
 command hang. Easy to reproduce too.

Known sudo bug, fixed in upstream and making its way into downstreams:
https://bugzilla.redhat.com/show_bug.cgi?id=1133657
https://bugzilla.redhat.com/show_bug.cgi?id=1147498

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-24 Thread Jakub Hrozek 
On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote:
 Thanks. It's good to know that it is fixed upstream. For discussion though,
 are any enhancements planned for dealing with installation/removal of ipa ?

Not sure, but please file bugs as you see them.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project