[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Stef Walter stefw at gnome.org
Thu Nov 19 04:25:04 PST 2015 

On 19.11.2015 13:19, Niklas Andersson wrote:
> Hi Stef,
> 
>  Well, yes. At least the join started when I commented out the #domains
> , but then I got this error during the join:
> 
>  ! Failed to enroll machine in realm: Already have domain openforce.org
> in sssd.conf config file.

Lets fix this bug, then your use case will work. Are you interested in
contributing a fix? The code is here:

http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-config.c

I think we need to add a boolean 'merge' argument to
realm_sssd_config_add_domain() which when set appends to the domain
section, rather than replacing it.

And we would set that flag here:

http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-ad.c#n188

Stef

>  Being able to not start sssd per default (as an option perhaps), would
> solve the problem, because that would give the admin some time to
> customize sssd.conf before service is started.
> 
> Regards,
> Niklas
> 
> 
> 
> 
> On 19/11/15 13:09, Stef Walter wrote:
>> On 19.11.2015 13:06, Stephen Gallagher wrote:
>>>
>>>> On Nov 19, 2015, at 7:01 AM, Stef Walter <stefw at gnome.org> wrote:
>>>>
>>>>> On 19.11.2015 12:51, Niklas Andersson wrote: Well,
>>>>>
>>>>> I want to add support for sudo in ldap for example, and
>>>>> ignore_group_members, set some pam stuff. Paste the sssd.conf
>>>>> here below.
>>>> When asked to configure sssd (the default) realmd uses sssd.conf as
>>>> the authoritative source of 'which domains am I joined to?'
>>>> information.
>>>>
>>>> I wonder if there's a present-but-disabled setting in sssd.conf
>>>> that could be useful in this case?
>>>>
>>> The domains= line in the [SSSD] section is the authoritative list of
>>> enabled domains. All other domain sections are ignored.
>> Niklas, does it work to include the new appropriately named section, but
>> leave the domain name out of the domains= line? Will realmd then update
>> the domains line, and further populate the [openforce.org] section?
>>
>> Stef
>>
>>>> Stef
>>>>
>>>>> [sssd] domains = openforce.org config_file_version = 2 services =
>>>>> nss, pam, ssh, sudo
>>>>>
>>>>> [ssh]
>>>>>
>>>>> [sudo]
>>>>>
>>>>> [pam] offline_credentials_expiration = 60
>>>>> pam_pwd_expiration_warning = 14
>>>>>
>>>>> [nss]
>>>>>
>>>>> [domain/openforce.org] id_provider = ad sudo_provider = ldap
>>>>> ignore_group_members = true dyndns_update = false
>>>>> use_fully_qualified_names = False lookup_family_order =
>>>>> ipv4_only cache_credentials = True fallback_homedir = /home/%u
>>>>> create_homedir = True override_shell = /bin/bash # # Sudo #
>>>>> ldap_uri = ldap://srv11.openforce.org ldap_sudo_search_base =
>>>>> ou=SUDOers,dc=openforce,dc=org ldap_default_bind_dn =
>>>>> cn=admin,dc=openforce,dc=org ldap_default_authtok = secret
>>>>>
>>>>> Regards, Niklas
>>>>>
>>>>>> On 19/11/15 12:47, Stephen Gallagher wrote:
>>>>>>
>>>>>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>>>>>> <niklas.andersson at openforce.se> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I just run into an oddity with realmd. It seams that if there
>>>>>>> already is a preconfigured /etc/sssd/sssd.conf present, realm
>>>>>>> will erroneously report that the client is already joined to
>>>>>>> a domain.
>>>>>>>
>>>>>>> The thing is that I want to tweak the sssd.conf for our
>>>>>>> domain before sssd is started, and it seems like I can't do
>>>>>>> that because:
>>>>>>>
>>>>>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>>>>>
>>>>>>> b) If I don't pre-configure realm automatically generates a
>>>>>>> default /etc/sssd/sssd.conf and starts the service right
>>>>>>> after that.
>>>>>>>
>>>>>>> Is there somehow I can fix this nicely?
>>>>>>>
>>>>>> Could you specify what tweaks in particular that you are trying
>>>>>> to apply?
>>>> _______________________________________________ Authentication
>>>> mailing list Authentication at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>> _______________________________________________ Authentication
>>> mailing list Authentication at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>>
>> _______________________________________________
>> Authentication mailing list
>> Authentication at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/authentication
> 
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication

More information about the Authentication mailing list