[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Niklas Andersson niklas.andersson at openforce.se
Thu Nov 19 04:28:15 PST 2015 

Sorry Stef. Python is as far as I dare to go :-)

Regards,
Niklas

On 19/11/15 13:25, Stef Walter wrote:
> On 19.11.2015 13:19, Niklas Andersson wrote:
>> Hi Stef,
>>
>>   Well, yes. At least the join started when I commented out the #domains
>> , but then I got this error during the join:
>>
>>   ! Failed to enroll machine in realm: Already have domain openforce.org
>> in sssd.conf config file.
> Lets fix this bug, then your use case will work. Are you interested in
> contributing a fix? The code is here:
>
> http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-config.c
>
> I think we need to add a boolean 'merge' argument to
> realm_sssd_config_add_domain() which when set appends to the domain
> section, rather than replacing it.
>
> And we would set that flag here:
>
> http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-ad.c#n188
>
> Stef
>
>>   Being able to not start sssd per default (as an option perhaps), would
>> solve the problem, because that would give the admin some time to
>> customize sssd.conf before service is started.
>>
>> Regards,
>> Niklas
>>
>>
>>
>>
>> On 19/11/15 13:09, Stef Walter wrote:
>>> On 19.11.2015 13:06, Stephen Gallagher wrote:
>>>>> On Nov 19, 2015, at 7:01 AM, Stef Walter <stefw at gnome.org> wrote:
>>>>>
>>>>>> On 19.11.2015 12:51, Niklas Andersson wrote: Well,
>>>>>>
>>>>>> I want to add support for sudo in ldap for example, and
>>>>>> ignore_group_members, set some pam stuff. Paste the sssd.conf
>>>>>> here below.
>>>>> When asked to configure sssd (the default) realmd uses sssd.conf as
>>>>> the authoritative source of 'which domains am I joined to?'
>>>>> information.
>>>>>
>>>>> I wonder if there's a present-but-disabled setting in sssd.conf
>>>>> that could be useful in this case?
>>>>>
>>>> The domains= line in the [SSSD] section is the authoritative list of
>>>> enabled domains. All other domain sections are ignored.
>>> Niklas, does it work to include the new appropriately named section, but
>>> leave the domain name out of the domains= line? Will realmd then update
>>> the domains line, and further populate the [openforce.org] section?
>>>
>>> Stef
>>>
>>>>> Stef
>>>>>
>>>>>> [sssd] domains = openforce.org config_file_version = 2 services =
>>>>>> nss, pam, ssh, sudo
>>>>>>
>>>>>> [ssh]
>>>>>>
>>>>>> [sudo]
>>>>>>
>>>>>> [pam] offline_credentials_expiration = 60
>>>>>> pam_pwd_expiration_warning = 14
>>>>>>
>>>>>> [nss]
>>>>>>
>>>>>> [domain/openforce.org] id_provider = ad sudo_provider = ldap
>>>>>> ignore_group_members = true dyndns_update = false
>>>>>> use_fully_qualified_names = False lookup_family_order =
>>>>>> ipv4_only cache_credentials = True fallback_homedir = /home/%u
>>>>>> create_homedir = True override_shell = /bin/bash # # Sudo #
>>>>>> ldap_uri = ldap://srv11.openforce.org ldap_sudo_search_base =
>>>>>> ou=SUDOers,dc=openforce,dc=org ldap_default_bind_dn =
>>>>>> cn=admin,dc=openforce,dc=org ldap_default_authtok = secret
>>>>>>
>>>>>> Regards, Niklas
>>>>>>
>>>>>>> On 19/11/15 12:47, Stephen Gallagher wrote:
>>>>>>>
>>>>>>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>>>>>>> <niklas.andersson at openforce.se> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I just run into an oddity with realmd. It seams that if there
>>>>>>>> already is a preconfigured /etc/sssd/sssd.conf present, realm
>>>>>>>> will erroneously report that the client is already joined to
>>>>>>>> a domain.
>>>>>>>>
>>>>>>>> The thing is that I want to tweak the sssd.conf for our
>>>>>>>> domain before sssd is started, and it seems like I can't do
>>>>>>>> that because:
>>>>>>>>
>>>>>>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>>>>>>
>>>>>>>> b) If I don't pre-configure realm automatically generates a
>>>>>>>> default /etc/sssd/sssd.conf and starts the service right
>>>>>>>> after that.
>>>>>>>>
>>>>>>>> Is there somehow I can fix this nicely?
>>>>>>>>
>>>>>>> Could you specify what tweaks in particular that you are trying
>>>>>>> to apply?
>>>>> _______________________________________________ Authentication
>>>>> mailing list Authentication at lists.freedesktop.org
>>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>>> _______________________________________________ Authentication
>>>> mailing list Authentication at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>>>
>>> _______________________________________________
>>> Authentication mailing list
>>> Authentication at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>> _______________________________________________
>> Authentication mailing list
>> Authentication at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/authentication
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication

More information about the Authentication mailing list