[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Stef Walter stefw at gnome.org
Thu Nov 19 04:46:44 PST 2015 

Fair enough. Here's an untested patch. Could you report back if it
solves your problem?

https://bugs.freedesktop.org/show_bug.cgi?id=93011

Stef

On 19.11.2015 13:28, Niklas Andersson wrote:
> Sorry Stef. Python is as far as I dare to go :-)
> 
> Regards,
> Niklas
> 
> On 19/11/15 13:25, Stef Walter wrote:
>> On 19.11.2015 13:19, Niklas Andersson wrote:
>>> Hi Stef,
>>>
>>>   Well, yes. At least the join started when I commented out the #domains
>>> , but then I got this error during the join:
>>>
>>>   ! Failed to enroll machine in realm: Already have domain openforce.org
>>> in sssd.conf config file.
>> Lets fix this bug, then your use case will work. Are you interested in
>> contributing a fix? The code is here:
>>
>> http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-config.c
>>
>>
>> I think we need to add a boolean 'merge' argument to
>> realm_sssd_config_add_domain() which when set appends to the domain
>> section, rather than replacing it.
>>
>> And we would set that flag here:
>>
>> http://cgit.freedesktop.org/realmd/realmd/tree/service/realm-sssd-ad.c#n188
>>
>>
>> Stef
>>
>>>   Being able to not start sssd per default (as an option perhaps), would
>>> solve the problem, because that would give the admin some time to
>>> customize sssd.conf before service is started.
>>>
>>> Regards,
>>> Niklas
>>>
>>>
>>>
>>>
>>> On 19/11/15 13:09, Stef Walter wrote:
>>>> On 19.11.2015 13:06, Stephen Gallagher wrote:
>>>>>> On Nov 19, 2015, at 7:01 AM, Stef Walter <stefw at gnome.org> wrote:
>>>>>>
>>>>>>> On 19.11.2015 12:51, Niklas Andersson wrote: Well,
>>>>>>>
>>>>>>> I want to add support for sudo in ldap for example, and
>>>>>>> ignore_group_members, set some pam stuff. Paste the sssd.conf
>>>>>>> here below.
>>>>>> When asked to configure sssd (the default) realmd uses sssd.conf as
>>>>>> the authoritative source of 'which domains am I joined to?'
>>>>>> information.
>>>>>>
>>>>>> I wonder if there's a present-but-disabled setting in sssd.conf
>>>>>> that could be useful in this case?
>>>>>>
>>>>> The domains= line in the [SSSD] section is the authoritative list of
>>>>> enabled domains. All other domain sections are ignored.
>>>> Niklas, does it work to include the new appropriately named section,
>>>> but
>>>> leave the domain name out of the domains= line? Will realmd then update
>>>> the domains line, and further populate the [openforce.org] section?
>>>>
>>>> Stef
>>>>
>>>>>> Stef
>>>>>>
>>>>>>> [sssd] domains = openforce.org config_file_version = 2 services =
>>>>>>> nss, pam, ssh, sudo
>>>>>>>
>>>>>>> [ssh]
>>>>>>>
>>>>>>> [sudo]
>>>>>>>
>>>>>>> [pam] offline_credentials_expiration = 60
>>>>>>> pam_pwd_expiration_warning = 14
>>>>>>>
>>>>>>> [nss]
>>>>>>>
>>>>>>> [domain/openforce.org] id_provider = ad sudo_provider = ldap
>>>>>>> ignore_group_members = true dyndns_update = false
>>>>>>> use_fully_qualified_names = False lookup_family_order =
>>>>>>> ipv4_only cache_credentials = True fallback_homedir = /home/%u
>>>>>>> create_homedir = True override_shell = /bin/bash # # Sudo #
>>>>>>> ldap_uri = ldap://srv11.openforce.org ldap_sudo_search_base =
>>>>>>> ou=SUDOers,dc=openforce,dc=org ldap_default_bind_dn =
>>>>>>> cn=admin,dc=openforce,dc=org ldap_default_authtok = secret
>>>>>>>
>>>>>>> Regards, Niklas
>>>>>>>
>>>>>>>> On 19/11/15 12:47, Stephen Gallagher wrote:
>>>>>>>>
>>>>>>>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>>>>>>>> <niklas.andersson at openforce.se> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I just run into an oddity with realmd. It seams that if there
>>>>>>>>> already is a preconfigured /etc/sssd/sssd.conf present, realm
>>>>>>>>> will erroneously report that the client is already joined to
>>>>>>>>> a domain.
>>>>>>>>>
>>>>>>>>> The thing is that I want to tweak the sssd.conf for our
>>>>>>>>> domain before sssd is started, and it seems like I can't do
>>>>>>>>> that because:
>>>>>>>>>
>>>>>>>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>>>>>>>
>>>>>>>>> b) If I don't pre-configure realm automatically generates a
>>>>>>>>> default /etc/sssd/sssd.conf and starts the service right
>>>>>>>>> after that.
>>>>>>>>>
>>>>>>>>> Is there somehow I can fix this nicely?
>>>>>>>>>
>>>>>>>> Could you specify what tweaks in particular that you are trying
>>>>>>>> to apply?
>>>>>> _______________________________________________ Authentication
>>>>>> mailing list Authentication at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>>>> _______________________________________________ Authentication
>>>>> mailing list Authentication at lists.freedesktop.org
>>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>>>>
>>>> _______________________________________________
>>>> Authentication mailing list
>>>> Authentication at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>> _______________________________________________
>>> Authentication mailing list
>>> Authentication at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>> _______________________________________________
>> Authentication mailing list
>> Authentication at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/authentication
> 
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication

More information about the Authentication mailing list