On (12/01/16 14:11), Lukas Slebodnik wrote: >On (12/01/16 13:40), Lukas Slebodnik wrote: >>On (05/11/15 13:51), Sumit Bose wrote: >>>On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote: >>>> On (05/11/15 12:42), Sumit Bose wrote: >>>> >On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote: >>>> >> ehlo, >>>> >> >>>> >> attached simple patch is a result of "Fedora end of life" >>>> >> message for related Fedora ticket. >>>> >> >>>> >> If you have an idea about better names I will be glad to change them. >>>> >> >>>> >> BTW shoulw we also remove this part from function >>>> >> sss_write_krb5_conf_snippet >>>> >> >>>> >> LS >>>> > >>>> >> From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 >>>> >> From: Lukas Slebodnik <lsleb...@redhat.com> >>>> >> Date: Thu, 5 Nov 2015 11:08:36 +0100 >>>> >> Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by default >>>> >> >>>> >> It will be installed to /etc/krb.conf.d/ only on these >>>> >> platforms which has krb5 with this directory >>>> >> >>>> >> Resolves: >>>> >> https://fedorahosted.org/sssd/ticket/2449 >>>> > >>>> >... >>>> > >>>> > >>>> >> new file mode 100644 >>>> >> index >>>> >> 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 >>>> >> --- /dev/null >>>> >> +++ b/src/examples/sssd_localauth.conf.in >>>> >> @@ -0,0 +1,5 @@ >>>> >> +[plugins] >>>> >> + localauth = { >>>> >> + module = sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so >>>> >> + enable_only = sssd >>>> >> + } >>>> > >>>> >just a comment, I think enable_only should not be used here. I added it >>>> >originally becasue I thought no other modules would be needed anymore, >>>> >but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or >>>> >https://fedorahosted.org/sssd/ticket/2707. >>>> > >>>> I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin >>>> >>>> I removed the option enable_only. >>>> Will it solve #2707 and #2788? >>>> or it is unrelated. >>> >>>It depends. If e.g. the AD and IPA providers would not create >>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if >>>/etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed >>>because we would fall back to the builtin k5login check if enable_only >>>is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists >>>and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in >>>/etc/krb5.conf it depends which file is processed first so I think we >>>should try to avoid it. >>> >>OK, I removed "enable_only" from both places. >> >>>Btw, what about the domain_realm mapping files we create in >>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be >>>created in /etc/krb5.conf.d/ if the directory exists? (Must not be >>>solved in the context of this ticket). >>> >>It would be good to store domain_realm mapping files there >>but it would not be allowed in non-root mode. >> >>sh$ ls -ld /etc/krb5.conf.d/ >>drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/ >> >>>If the file is labeled as '%config(noreplace)' in the spec >>>file we could say that the list is now configurable because changes stay >>>and close #2707 as well. >>> >>BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) >>only on fedora 23+. So older distributions will still >>generate the file into /var/lib/sss/pubconf/krb5.include.d/ >> >>LS > >ups, >I sent wrong patches. New version is attached. > >LS
>From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik <lsleb...@redhat.com> >Date: Tue, 12 Jan 2016 12:56:31 +0100 >Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config > >Resolves: >https://fedorahosted.org/sssd/ticket/2788 >--- > src/util/domain_info_utils.c | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c >index >0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 > 100644 >--- a/src/util/domain_info_utils.c >+++ b/src/util/domain_info_utils.c >@@ -531,7 +531,6 @@ done: > "[plugins]\n" \ > " localauth = {\n" \ > " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ >-" enable_only = sssd\n" \ > " }" > > static errno_t sss_write_krb5_localauth_snippet(const char *path) >-- >2.5.0 > >From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik <lsleb...@redhat.com> >Date: Thu, 5 Nov 2015 11:08:36 +0100 >Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default > >It will be installed to /etc/krb.conf.d/ only on these >platforms which has krb5 with this directory > >Resolves: >https://fedorahosted.org/sssd/ticket/2449 >--- > Makefile.am | 15 ++++++++++++++- > contrib/sssd.spec.in | 3 +++ > src/examples/sssd_localauth.conf.in | 4 ++++ > src/external/krb5.m4 | 4 ++++ > src/tests/cmocka/test_utils.c | 8 +++++++- > src/util/domain_info_utils.c | 7 ++++++- > 6 files changed, 38 insertions(+), 3 deletions(-) > create mode 100644 src/examples/sssd_localauth.conf.in > >diff --git a/Makefile.am b/Makefile.am >index >a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 > 100644 >--- a/Makefile.am >+++ b/Makefile.am >@@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d > dbuspolicydir = $(sysconfdir)/dbus-1/system.d > dbusservicedir = $(datadir)/dbus-1/system-services > sss_statedir = $(localstatedir)/lib/sss >+krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/ > localedir = @localedir@ > nsslibdir = @nsslibdir@ > pamlibdir = @pammoddir@ >@@ -319,6 +320,10 @@ endif > if BUILD_KRB5_LOCALAUTH_PLUGIN > krb5localauth_plugin_LTLIBRARIES = \ > sssd_krb5_localauth_plugin.la >+ >+if HAVE_KRB5_CONF_D >+krb5_conf_sub_DATA = src/examples/sssd_localauth.conf >+endif > endif > > if BUILD_PAC_RESPONDER >@@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \ > -e 's|@sbindir[@]|$(sbindir)|g' \ > -e 's|@environment_file[@]|$(environment_file)|g' \ > -e 's|@localstatedir[@]|$(localstatedir)|g' \ >+ -e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \ > -e 's|@prefix[@]|$(prefix)|g' > > replace_script = \ >@@ -3444,7 +3450,9 @@ replace_script = \ > > EXTRA_DIST += \ > src/sysv/systemd/sssd.service.in \ >- src/sysv/systemd/journal.conf.in >+ src/sysv/systemd/journal.conf.in \ >+ src/examples/sssd_localauth.conf.in \ >+ $(NULL) > > src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile > @$(MKDIR_P) src/sysv/systemd/ >@@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf: >src/sysv/systemd/journal.conf.in Makefile > @$(MKDIR_P) src/sysv/systemd/ > $(replace_script) > >+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in Makefile >+ @$(MKDIR_P) src/examples/ >+ $(replace_script) >+ > SSSD_USER_DIRS = \ > $(DESTDIR)$(dbpath) \ > $(DESTDIR)$(keytabdir) \ >@@ -3662,6 +3674,7 @@ endif > rm -Rf ldb_mod_test_dir > rm -f $(builddir)/src/sysv/systemd/sssd.service > rm -f $(builddir)/src/sysv/systemd/journal.conf >+ rm -f $(builddir)/src/examples/sssd_localauth.conf > > CLEANFILES = *.X */*.X */*/*.X > >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in >index >9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b > 100644 >--- a/contrib/sssd.spec.in >+++ b/contrib/sssd.spec.in >@@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT > %endif > %if (0%{?with_krb5_localauth_plugin} == 1) > %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so >+%if (0%{?fedora} >= 23) >+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf >+%endif Simo, Last week you mentioned that pacakges should not ship snippet files in /etc/krb5.conf.d/ As you can see we plan to do it but users can change it due to %config(noreplace). Are you still think it is not a good idea? If you do not like it do you have an alternative solution for Fedora BZ1145788? L _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
