On (12/01/16 13:40), Lukas Slebodnik wrote: >On (05/11/15 13:51), Sumit Bose wrote: >>On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote: >>> On (05/11/15 12:42), Sumit Bose wrote: >>> >On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote: >>> >> ehlo, >>> >> >>> >> attached simple patch is a result of "Fedora end of life" >>> >> message for related Fedora ticket. >>> >> >>> >> If you have an idea about better names I will be glad to change them. >>> >> >>> >> BTW shoulw we also remove this part from function >>> >> sss_write_krb5_conf_snippet >>> >> >>> >> LS >>> > >>> >> From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 >>> >> From: Lukas Slebodnik <lsleb...@redhat.com> >>> >> Date: Thu, 5 Nov 2015 11:08:36 +0100 >>> >> Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default >>> >> >>> >> It will be installed to /etc/krb.conf.d/ only on these >>> >> platforms which has krb5 with this directory >>> >> >>> >> Resolves: >>> >> https://fedorahosted.org/sssd/ticket/2449 >>> > >>> >... >>> > >>> > >>> >> new file mode 100644 >>> >> index >>> >> 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 >>> >> --- /dev/null >>> >> +++ b/src/examples/sssd_localauth.conf.in >>> >> @@ -0,0 +1,5 @@ >>> >> +[plugins] >>> >> + localauth = { >>> >> + module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so >>> >> + enable_only = sssd >>> >> + } >>> > >>> >just a comment, I think enable_only should not be used here. I added it >>> >originally becasue I thought no other modules would be needed anymore, >>> >but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or >>> >https://fedorahosted.org/sssd/ticket/2707. >>> > >>> I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin >>> >>> I removed the option enable_only. >>> Will it solve #2707 and #2788? >>> or it is unrelated. >> >>It depends. If e.g. the AD and IPA providers would not create >>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if >>/etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed >>because we would fall back to the builtin k5login check if enable_only >>is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists >>and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in >>/etc/krb5.conf it depends which file is processed first so I think we >>should try to avoid it. >> >OK, I removed "enable_only" from both places. > >>Btw, what about the domain_realm mapping files we create in >>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be >>created in /etc/krb5.conf.d/ if the directory exists? (Must not be >>solved in the context of this ticket). >> >It would be good to store domain_realm mapping files there >but it would not be allowed in non-root mode. > >sh$ ls -ld /etc/krb5.conf.d/ >drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/ > >>If the file is labeled as '%config(noreplace)' in the spec >>file we could say that the list is now configurable because changes stay >>and close #2707 as well. >> >BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) >only on fedora 23+. So older distributions will still >generate the file into /var/lib/sss/pubconf/krb5.include.d/ > >LS
ups, I sent wrong patches. New version is attached. LS
>From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Tue, 12 Jan 2016 12:56:31 +0100 Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config Resolves: https://fedorahosted.org/sssd/ticket/2788 --- src/util/domain_info_utils.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -531,7 +531,6 @@ done: "[plugins]\n" \ " localauth = {\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ -" enable_only = sssd\n" \ " }" static errno_t sss_write_krb5_localauth_snippet(const char *path) -- 2.5.0
>From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 5 Nov 2015 11:08:36 +0100 Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default It will be installed to /etc/krb.conf.d/ only on these platforms which has krb5 with this directory Resolves: https://fedorahosted.org/sssd/ticket/2449 --- Makefile.am | 15 ++++++++++++++- contrib/sssd.spec.in | 3 +++ src/examples/sssd_localauth.conf.in | 4 ++++ src/external/krb5.m4 | 4 ++++ src/tests/cmocka/test_utils.c | 8 +++++++- src/util/domain_info_utils.c | 7 ++++++- 6 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 src/examples/sssd_localauth.conf.in diff --git a/Makefile.am b/Makefile.am index a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 100644 --- a/Makefile.am +++ b/Makefile.am @@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d dbuspolicydir = $(sysconfdir)/dbus-1/system.d dbusservicedir = $(datadir)/dbus-1/system-services sss_statedir = $(localstatedir)/lib/sss +krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/ localedir = @localedir@ nsslibdir = @nsslibdir@ pamlibdir = @pammoddir@ @@ -319,6 +320,10 @@ endif if BUILD_KRB5_LOCALAUTH_PLUGIN krb5localauth_plugin_LTLIBRARIES = \ sssd_krb5_localauth_plugin.la + +if HAVE_KRB5_CONF_D +krb5_conf_sub_DATA = src/examples/sssd_localauth.conf +endif endif if BUILD_PAC_RESPONDER @@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \ -e 's|@sbindir[@]|$(sbindir)|g' \ -e 's|@environment_file[@]|$(environment_file)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ + -e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \ -e 's|@prefix[@]|$(prefix)|g' replace_script = \ @@ -3444,7 +3450,9 @@ replace_script = \ EXTRA_DIST += \ src/sysv/systemd/sssd.service.in \ - src/sysv/systemd/journal.conf.in + src/sysv/systemd/journal.conf.in \ + src/examples/sssd_localauth.conf.in \ + $(NULL) src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile @$(MKDIR_P) src/sysv/systemd/ @@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf: src/sysv/systemd/journal.conf.in Makefile @$(MKDIR_P) src/sysv/systemd/ $(replace_script) +src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in Makefile + @$(MKDIR_P) src/examples/ + $(replace_script) + SSSD_USER_DIRS = \ $(DESTDIR)$(dbpath) \ $(DESTDIR)$(keytabdir) \ @@ -3662,6 +3674,7 @@ endif rm -Rf ldb_mod_test_dir rm -f $(builddir)/src/sysv/systemd/sssd.service rm -f $(builddir)/src/sysv/systemd/journal.conf + rm -f $(builddir)/src/examples/sssd_localauth.conf CLEANFILES = *.X */*.X */*/*.X diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT %endif %if (0%{?with_krb5_localauth_plugin} == 1) %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +%if (0%{?fedora} >= 23) +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf +%endif %endif %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* diff --git a/src/examples/sssd_localauth.conf.in b/src/examples/sssd_localauth.conf.in new file mode 100644 index 0000000000000000000000000000000000000000..daa29531d6d5e64f417f997afeb2d4e6e482277b --- /dev/null +++ b/src/examples/sssd_localauth.conf.in @@ -0,0 +1,4 @@ +[plugins] + localauth = { + module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so + } diff --git a/src/external/krb5.m4 b/src/external/krb5.m4 index 8fc9096c7fe70cf9bb682f1086b3bba07e936936..8fdd5fb509f7651f8633fc48af8e5355aaaf9d78 100644 --- a/src/external/krb5.m4 +++ b/src/external/krb5.m4 @@ -112,5 +112,9 @@ AM_CONDITIONAL([BUILD_KRB5_LOCALAUTH_PLUGIN], AM_COND_IF([BUILD_KRB5_LOCALAUTH_PLUGIN], [AC_DEFINE_UNQUOTED(HAVE_KRB5_LOCALAUTH_PLUGIN, 1, [Build with krb5 localauth plugin])]) +AM_CONDITIONAL([HAVE_KRB5_CONF_D], [test -d /etc/krb5.conf.d/]) +AM_COND_IF([HAVE_KRB5_CONF_D], + [AC_DEFINE_UNQUOTED([HAVE_KRB5_CONF_D], 1, [Have directory /etc/krb5.conf.d/])]) + CFLAGS=$SAVE_CFLAGS LIBS=$SAVE_LIBS diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index fecc5579d85490a62641e3f7d5db22639fc5ed26..e41080dfaf83f8ec289b94ff6dc476b6a6c6a3d3 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -1277,7 +1277,13 @@ void test_sss_write_krb5_conf_snippet(void **state) ret = sss_write_krb5_conf_snippet(path); assert_int_equal(ret, EOK); -#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN +#ifdef HAVE_KRB5_CONF_D + ret = open(file, O_RDONLY); + assert_int_equal(ret, -1); + + ret = errno; + assert_int_equal(ret, ENOENT); +#elif defined(HAVE_KRB5_LOCALAUTH_PLUGIN) ret = unlink(file); assert_int_equal(ret, EOK); #endif diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 4d7a927a0b946baed0658315104abe0ea3567279..580a078ca195b3dce54b43909435d69016ea9a42 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -535,7 +535,12 @@ done: static errno_t sss_write_krb5_localauth_snippet(const char *path) { -#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN +#ifdef HAVE_KRB5_CONF_D + DEBUG(SSSDBG_TRACE_ALL, + "SSSD Kerberos localauth plugin is stored in standard krb5 " + "directory:/etc/krb5.conf.d/\n"); + return EOK; +#elif defined(HAVE_KRB5_LOCALAUTH_PLUGIN) int ret; errno_t err; TALLOC_CTX *tmp_ctx = NULL; -- 2.5.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
