Bug 1088683
Summary: | ipa-client-install --preserve-sssd does not seem to preserve the sssd configuration | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michael Gregg <mgregg> | ||||
Component: | ipa | Assignee: | Martin Kosek <mkosek> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Namita Soman <nsoman> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.1 | CC: | rcritten, tbabej, xdong | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Known Issue | |||||
Doc Text: |
The ipa-client-install command does not process the --preserve-sssd option correctly when generating the IPA domain configuration in the sssd.conf file. As a consequence, the original configuration of the IPA domain is overwritten. To work around this problem, review sssd.conf after running ipa-client-install to identify and manually fix any unwanted changes.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-01-29 13:20:07 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Michael Gregg
2014-04-17 01:42:43 UTC
Please attach ipaclient-install.log to see the behavior. ipa-client-install retains existing *functional* sssd.conf, I just re-tested with ipa-client-3.3.3-28.el7.x86_64: ==================================== # cat /etc/sssd/sssd.conf [domain/LDAP] cache_credentials = TRUE id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = LDAP [nss] [pam] [sudo] [autofs] [ssh] [pac] ==================================== # ipa-client-install --domain mkosek-fedora20.test -p admin -w kokos123 Discovery was successful! ... SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. ==================================== # cat /etc/sssd/sssd.conf [domain/mkosek-fedora20.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mkosek-fedora20.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = vm-067.example.com chpass_provider = ipa ipa_server = _srv_, ipa.mkosek-fedora20.test dns_discovery_domain = mkosek-fedora20.test [domain/LDAP] cache_credentials = TRUE id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = mkosek-fedora20.test, LDAP [nss] [pam] [sudo] [autofs] [ssh] [pac] ==================================== As you see, DNS domains were merged, SSSD configuration was not lost. Created attachment 887258 [details]
ipaclient install log from ipa install that removes some sssd config
I attached the log from a install that removes the lines from the [nss] section of sssd.conf. Prior to ipa-client-install, the nss section contained: [nss] filter_users = root filter_groups = root This was removed after ipa-client install. Is this because that section was not a functional config? Thanks. I finally see where the problem is. Log contains following messages: 2014-04-17T19:27:40Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2014-04-17T19:27:40Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2014-04-17T19:27:40Z INFO Domain testrelm.test is already configured in existing SSSD config, creating a new one. 2014-04-17T19:27:40Z INFO The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. 2014-04-17T19:27:40Z INFO Configured /etc/sssd/sssd.conf sssd.conf already contained configuration for the domain (testrelm.com) so it created a new configuration to avoid conflict. However, I do think that when --preserve-sssd flag is enabled, it should not create a new one but error out. Good catch. I will open an upstream ticket. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4315 *** Bug 1188452 has been marked as a duplicate of this bug. *** Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux. Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket. |