Discussion:
[Freeipa-users] ipa-client-install generates bad sssd.conf
Harald Dunkel
2017-03-03 07:45:10 UTC
Permalink
Hi folks,

running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian
Stretch ipa-client-install creates a bad sssd.conf file, e.g.

[domain/example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = stretch1.vs.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.com
dns_discovery_domain = example.com
[sssd]
domains = example.com
services = sudo
[sudo]


Esp. the services for nss, pam and ssh are not setup. Is this
as expected?


Every helpful comment is highly appreciated.
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-03-03 08:32:57 UTC
Permalink
Post by Harald Dunkel
Hi folks,
running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
Debian Stretch
~~~~~~~~~~~~~~
This is important I guess.

Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
of the sssd section. But:
- there were some nasty bugs in the first version of the socket
activation. We will be releasing 1.15.1 today to address those
issues
- the sockets must be enabled (systemctl status sssd-nss.socket). I
understand Debian is doing this but I'm neither Debian user nor
developer. I would suggest to ask on some Debian-specific forum or
file a bug report if the resulting configurationd doesn't work.
Post by Harald Dunkel
ipa-client-install creates a bad sssd.conf file, e.g.
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = stretch1.vs.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.com
dns_discovery_domain = example.com
[sssd]
domains = example.com
services = sudo
btw I find it strange that sudo is listed. I would expect either all or
no services to be listed. The feature is backwards-compatible, so if you
list the services explicitly, the sssd process would still start them
explicitly, just as it did with previous versions.
Post by Harald Dunkel
[sudo]
Esp. the services for nss, pam and ssh are not setup. Is this
as expected?
Every helpful comment is highly appreciated.
Harri
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Harald Dunkel
2017-03-03 08:56:55 UTC
Permalink
Hi Jakub,
Post by Jakub Hrozek
Post by Harald Dunkel
Hi folks,
running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
Debian Stretch
~~~~~~~~~~~~~~
This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
- there were some nasty bugs in the first version of the socket
activation. We will be releasing 1.15.1 today to address those
issues
- the sockets must be enabled (systemctl status sssd-nss.socket). I
understand Debian is doing this but I'm neither Debian user nor
developer. I would suggest to ask on some Debian-specific forum or
file a bug report if the resulting configurationd doesn't work.
This is systemd-only?

Wouldn't it be better to create a working sssd.conf, no matter
what?


Regards
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-03-03 09:14:46 UTC
Permalink
Post by Harald Dunkel
Hi Jakub,
Post by Jakub Hrozek
Post by Harald Dunkel
Hi folks,
running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
Debian Stretch
~~~~~~~~~~~~~~
This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
- there were some nasty bugs in the first version of the socket
activation. We will be releasing 1.15.1 today to address those
issues
- the sockets must be enabled (systemctl status sssd-nss.socket). I
understand Debian is doing this but I'm neither Debian user nor
developer. I would suggest to ask on some Debian-specific forum or
file a bug report if the resulting configurationd doesn't work.
This is systemd-only?
Wouldn't it be better to create a working sssd.conf, no matter
what?
It is up to whoever is creating the sssd.conf. As I said, the change is
backwards-compatible. If you want the services to be started by sssd,
then list them in the services line. If you want to have them started on
demand and have a simpler configuration, you rely on the systemd services
manager.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Harald Dunkel
2017-03-03 11:02:56 UTC
Permalink
Post by Jakub Hrozek
Post by Harald Dunkel
This is systemd-only?
Wouldn't it be better to create a working sssd.conf, no matter
what?
It is up to whoever is creating the sssd.conf. As I said, the change is
backwards-compatible. If you want the services to be started by sssd,
then list them in the services line. If you want to have them started on
demand and have a simpler configuration, you rely on the systemd services
manager.
Understood. I will try 1.15.1 as soon as possible.

Reading ipa-client-install it appears to me that the other
services haven't been omitted on purpose. I have the
impression that nss and pam have simply been forgotten.

sssd's ssh service is defined only if ipa-client-install
is allowed to touch the ssh or sshd configuration, but I
have *no* idea why there is such a correlation.

Would somebody mind to look into this?


Thanx very much
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2017-03-03 14:53:04 UTC
Permalink
Post by Harald Dunkel
Post by Jakub Hrozek
Post by Harald Dunkel
This is systemd-only?
Wouldn't it be better to create a working sssd.conf, no matter
what?
It is up to whoever is creating the sssd.conf. As I said, the change is
backwards-compatible. If you want the services to be started by sssd,
then list them in the services line. If you want to have them started on
demand and have a simpler configuration, you rely on the systemd services
manager.
Understood. I will try 1.15.1 as soon as possible.
Reading ipa-client-install it appears to me that the other
services haven't been omitted on purpose. I have the
impression that nss and pam have simply been forgotten.
sssd's ssh service is defined only if ipa-client-install
is allowed to touch the ssh or sshd configuration, but I
have *no* idea why there is such a correlation.
Would somebody mind to look into this?
This is managed by authconfig on Fedora/RHEL systems. Not sure what
Debian does in this regard. Timo?

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Timo Aaltonen
2017-03-05 10:47:36 UTC
Permalink
Post by Rob Crittenden
Post by Harald Dunkel
Post by Jakub Hrozek
Post by Harald Dunkel
This is systemd-only?
Wouldn't it be better to create a working sssd.conf, no matter
what?
It is up to whoever is creating the sssd.conf. As I said, the change is
backwards-compatible. If you want the services to be started by sssd,
then list them in the services line. If you want to have them started on
demand and have a simpler configuration, you rely on the systemd services
manager.
Understood. I will try 1.15.1 as soon as possible.
Reading ipa-client-install it appears to me that the other
services haven't been omitted on purpose. I have the
impression that nss and pam have simply been forgotten.
sssd's ssh service is defined only if ipa-client-install
is allowed to touch the ssh or sshd configuration, but I
have *no* idea why there is such a correlation.
Would somebody mind to look into this?
This is managed by authconfig on Fedora/RHEL systems. Not sure what
Debian does in this regard. Timo?
pam-auth-update configures pam, there's nothing else to be configured..
I just ran ipa-client-install on Ubuntu zesty with freeipa-client
4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:

services = nss, sudo, pam, ssh
--
t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Harald Dunkel
2017-03-09 10:08:31 UTC
Permalink
Post by Timo Aaltonen
pam-auth-update configures pam, there's nothing else to be configured..
I just ran ipa-client-install on Ubuntu zesty with freeipa-client
services = nss, sudo, pam, ssh
Do you get the same for 4.4.3-3 (the version in Debian experimental,
AFAICT) on sid? I don't :-(.

Command line:
ipa-client-install --hostname `hostname` --no-ssh --no-sshd --no-nisdomain


Regards
Harri
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...