On Tue, 2016-02-16 at 17:36 +0100, Lukas Slebodnik wrote: > On (12/01/16 14:11), Lukas Slebodnik wrote: > >On (12/01/16 13:40), Lukas Slebodnik wrote: > >>On (05/11/15 13:51), Sumit Bose wrote: > >>>On Thu, Nov 05, 2015 at 01:02:07PM +0100, Lukas Slebodnik wrote: > >>>> On (05/11/15 12:42), Sumit Bose wrote: > >>>> >On Thu, Nov 05, 2015 at 12:12:17PM +0100, Lukas Slebodnik wrote: > >>>> >> ehlo, > >>>> >> > >>>> >> attached simple patch is a result of "Fedora end of life" > >>>> >> message for related Fedora ticket. > >>>> >> > >>>> >> If you have an idea about better names I will be glad to change them. > >>>> >> > >>>> >> BTW shoulw we also remove this part from function > >>>> >> sss_write_krb5_conf_snippet > >>>> >> > >>>> >> LS > >>>> > > >>>> >> From c4d56af303ba4385cf9ef1c9053545c243f07a44 Mon Sep 17 00:00:00 2001 > >>>> >> From: Lukas Slebodnik <lsleb...@redhat.com> > >>>> >> Date: Thu, 5 Nov 2015 11:08:36 +0100 > >>>> >> Subject: [PATCH] BUILD: Enable the sssd krb5 localauth plugin by > >>>> >> default > >>>> >> > >>>> >> It will be installed to /etc/krb.conf.d/ only on these > >>>> >> platforms which has krb5 with this directory > >>>> >> > >>>> >> Resolves: > >>>> >> https://fedorahosted.org/sssd/ticket/2449 > >>>> > > >>>> >... > >>>> > > >>>> > > >>>> >> new file mode 100644 > >>>> >> index > >>>> >> 0000000000000000000000000000000000000000..950cab8200eb50d7fc878723d38c93d5b616e468 > >>>> >> --- /dev/null > >>>> >> +++ b/src/examples/sssd_localauth.conf.in > >>>> >> @@ -0,0 +1,5 @@ > >>>> >> +[plugins] > >>>> >> + localauth = { > >>>> >> + module = > >>>> >> sssd:@krb5localauth_plugindir@/sssd_krb5_localauth_plugin.so > >>>> >> + enable_only = sssd > >>>> >> + } > >>>> > > >>>> >just a comment, I think enable_only should not be used here. I added it > >>>> >originally becasue I thought no other modules would be needed anymore, > >>>> >but I was wrong, see e.g. https://fedorahosted.org/sssd/ticket/2788 or > >>>> >https://fedorahosted.org/sssd/ticket/2707. > >>>> > > >>>> I inspired in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > >>>> > >>>> I removed the option enable_only. > >>>> Will it solve #2707 and #2788? > >>>> or it is unrelated. > >>> > >>>It depends. If e.g. the AD and IPA providers would not create > >>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin anymore if > >>>/etc/krb5.conf.d/sssd_localauth.conf exists I think #2788 is fixed > >>>because we would fall back to the builtin k5login check if enable_only > >>>is not set in /etc/krb5.conf.d/sssd_localauth.conf. If both files exists > >>>and there is a 'includedir /var/lib/sss/pubconf/krb5.include.d/' in > >>>/etc/krb5.conf it depends which file is processed first so I think we > >>>should try to avoid it. > >>> > >>OK, I removed "enable_only" from both places. > >> > >>>Btw, what about the domain_realm mapping files we create in > >>>/var/lib/sss/pubconf/krb5.include.d/localauth_plugin ? Should they be > >>>created in /etc/krb5.conf.d/ if the directory exists? (Must not be > >>>solved in the context of this ticket). > >>> > >>It would be good to store domain_realm mapping files there > >>but it would not be allowed in non-root mode. > >> > >>sh$ ls -ld /etc/krb5.conf.d/ > >>drwxr-xr-x. 1 root root 30 Dec 23 17:12 /etc/krb5.conf.d/ > >> > >>>If the file is labeled as '%config(noreplace)' in the spec > >>>file we could say that the list is now configurable because changes stay > >>>and close #2707 as well. > >>> > >>BTW /etc/krb5.conf.d/ is available (and included in krb5.conf) > >>only on fedora 23+. So older distributions will still > >>generate the file into /var/lib/sss/pubconf/krb5.include.d/ > >> > >>LS > > > >ups, > >I sent wrong patches. New version is attached. > > > >LS > > >From 8fbe324a52878bbfb206bd1ff9dfdf930cea7c68 Mon Sep 17 00:00:00 2001 > >From: Lukas Slebodnik <lsleb...@redhat.com> > >Date: Tue, 12 Jan 2016 12:56:31 +0100 > >Subject: [PATCH 1/2] UTIL: Rmove enable_only from krb5 localauth config > > > >Resolves: > >https://fedorahosted.org/sssd/ticket/2788 > >--- > > src/util/domain_info_utils.c | 1 - > > 1 file changed, 1 deletion(-) > > > >diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c > >index > >0791da3046c35e28cb1b479bb05610412acdb53c..4d7a927a0b946baed0658315104abe0ea3567279 > > 100644 > >--- a/src/util/domain_info_utils.c > >+++ b/src/util/domain_info_utils.c > >@@ -531,7 +531,6 @@ done: > > "[plugins]\n" \ > > " localauth = {\n" \ > > " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ > >-" enable_only = sssd\n" \ > > " }" > > > > static errno_t sss_write_krb5_localauth_snippet(const char *path) > >-- > >2.5.0 > > > > >From 24cec8410bac9501181b0bdbf63c8c70b9535e9c Mon Sep 17 00:00:00 2001 > >From: Lukas Slebodnik <lsleb...@redhat.com> > >Date: Thu, 5 Nov 2015 11:08:36 +0100 > >Subject: [PATCH 2/2] BUILD: Enable the sssd krb5 localauth plugin by default > > > >It will be installed to /etc/krb.conf.d/ only on these > >platforms which has krb5 with this directory > > > >Resolves: > >https://fedorahosted.org/sssd/ticket/2449 > >--- > > Makefile.am | 15 ++++++++++++++- > > contrib/sssd.spec.in | 3 +++ > > src/examples/sssd_localauth.conf.in | 4 ++++ > > src/external/krb5.m4 | 4 ++++ > > src/tests/cmocka/test_utils.c | 8 +++++++- > > src/util/domain_info_utils.c | 7 ++++++- > > 6 files changed, 38 insertions(+), 3 deletions(-) > > create mode 100644 src/examples/sssd_localauth.conf.in > > > >diff --git a/Makefile.am b/Makefile.am > >index > >a9d3f25d3775f6ac824b9f9b85dd0412417c33d3..526bbd44926d40d4d3a9a5dc0b3528eed97d7600 > > 100644 > >--- a/Makefile.am > >+++ b/Makefile.am > >@@ -55,6 +55,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d > > dbuspolicydir = $(sysconfdir)/dbus-1/system.d > > dbusservicedir = $(datadir)/dbus-1/system-services > > sss_statedir = $(localstatedir)/lib/sss > >+krb5_conf_subdir = $(sysconfdir)/krb5.conf.d/ > > localedir = @localedir@ > > nsslibdir = @nsslibdir@ > > pamlibdir = @pammoddir@ > >@@ -319,6 +320,10 @@ endif > > if BUILD_KRB5_LOCALAUTH_PLUGIN > > krb5localauth_plugin_LTLIBRARIES = \ > > sssd_krb5_localauth_plugin.la > >+ > >+if HAVE_KRB5_CONF_D > >+krb5_conf_sub_DATA = src/examples/sssd_localauth.conf > >+endif > > endif > > > > if BUILD_PAC_RESPONDER > >@@ -3433,6 +3438,7 @@ edit_cmd = $(SED) \ > > -e 's|@sbindir[@]|$(sbindir)|g' \ > > -e 's|@environment_file[@]|$(environment_file)|g' \ > > -e 's|@localstatedir[@]|$(localstatedir)|g' \ > >+ -e 's|@krb5localauth_plugindir[@]|$(krb5localauth_plugindir)|g' \ > > -e 's|@prefix[@]|$(prefix)|g' > > > > replace_script = \ > >@@ -3444,7 +3450,9 @@ replace_script = \ > > > > EXTRA_DIST += \ > > src/sysv/systemd/sssd.service.in \ > >- src/sysv/systemd/journal.conf.in > >+ src/sysv/systemd/journal.conf.in \ > >+ src/examples/sssd_localauth.conf.in \ > >+ $(NULL) > > > > src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile > > @$(MKDIR_P) src/sysv/systemd/ > >@@ -3454,6 +3462,10 @@ src/sysv/systemd/journal.conf: > >src/sysv/systemd/journal.conf.in Makefile > > @$(MKDIR_P) src/sysv/systemd/ > > $(replace_script) > > > >+src/examples/sssd_localauth.conf: src/examples/sssd_localauth.conf.in > >Makefile > >+ @$(MKDIR_P) src/examples/ > >+ $(replace_script) > >+ > > SSSD_USER_DIRS = \ > > $(DESTDIR)$(dbpath) \ > > $(DESTDIR)$(keytabdir) \ > >@@ -3662,6 +3674,7 @@ endif > > rm -Rf ldb_mod_test_dir > > rm -f $(builddir)/src/sysv/systemd/sssd.service > > rm -f $(builddir)/src/sysv/systemd/journal.conf > >+ rm -f $(builddir)/src/examples/sssd_localauth.conf > > > > CLEANFILES = *.X */*.X */*/*.X > > > >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in > >index > >9855e11a8bb0ff3f50ceeae98f383c514011cc90..67f9617bd56ab5f3a467f4db9f5d0b1b8271d50b > > 100644 > >--- a/contrib/sssd.spec.in > >+++ b/contrib/sssd.spec.in > >@@ -836,6 +836,9 @@ rm -rf $RPM_BUILD_ROOT > > %endif > > %if (0%{?with_krb5_localauth_plugin} == 1) > > %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so > >+%if (0%{?fedora} >= 23) > >+%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_localauth.conf > >+%endif > Simo, > Last week you mentioned that pacakges should not ship > snippet files in /etc/krb5.conf.d/ > > As you can see we plan to do it but users can change it > due to %config(noreplace). > > Are you still think it is not a good idea? > If you do not like it do you have an alternative solution for > Fedora BZ1145788?
Not a good idea, the configuration tool should drop there the snippet when it joins a domain, or perhaps sssd should drop it there at startup (if not already there) when it knows it can provide information to krb5. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
