Bug 967569
Summary: | The default-home and default-shell of realmd.conf seems not working | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
Component: | realmd | Assignee: | Stef Walter <stefw> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | dspurek, ebenes, pkis, stefw | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | realmd-0.14.3-1 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-13 09:37:59 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 917637 | ||||||
Attachments: |
|
Description
Patrik Kis
2013-05-27 13:24:23 UTC
The home directory takes effect for me. You need to remember to restart realmd after changing realmd.conf But the default shell does not get set appropriately. Thanks for catching that. The problem with this is that the default_shell setting is in the [nss] section and is global to all sssd.conf domains. We need to figure out how to support custom admin modifications of /etc/sssd/sssd.conf and not overwrite them every time we join a new domain. It may be that the user customizes /etc/sssd/sssd.conf and sets a default_shell, and then joins a domain. realmd shouldn't overwrite it with the defaults again. Patrik, do you have any ideas on how we could handle the above? Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but doesn't take effect. Realmd service is restarted after changes. Joining to IPA domain. [users] default-home = /home/%D/test/%U default-shell = /bin/ksh :: [ PASS ] :: Running 'cat /etc/realmd.conf' (Expected 0, got 0) :: [ PASS ] :: Running 'systemctl restart realmd.service' (Expected 0, got 0) realmd.service - Realm and Domain Configuration Loaded: loaded (/usr/lib/systemd/system/realmd.service; static) Active: active (running) since Tue 2013-07-16 02:13:00 EDT; 55ms ago Docs: man:realmd(8) Main PID: 10263 (realmd) CGroup: name=systemd:/system/realmd.service └─10263 /usr/lib64/realmd/realmd Jul 16 02:12:40 client.ipa.baseos.qe systemd[1]: Starting Realm and Domain C.... Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: Loaded settings from: /us... Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: holding daemon: startup Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: starting service Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: connected to bus Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: released daemon: startup Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: couldn't claim service na... Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: ** Message: couldn't clai... Jul 16 02:13:00 client.ipa.baseos.qe realmd[10263]: claimed name on bus: org.... Jul 16 02:13:00 client.ipa.baseos.qe systemd[1]: Started Realm and Domain Co.... :: [ PASS ] :: Running 'systemctl status realmd.service' (Expected 0, got 0) realm -v join --user=admin ipa.baseos.qe * Resolving: _ldap._tcp.ipa.baseos.qe * Performing LDAP DSE lookup on: 10.34.24.252 * Successfully discovered: ipa.baseos.qe Password for admin: * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd * LANG=C /usr/sbin/ipa-client-install --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd Discovery was successful! Hostname: client.ipa.baseos.qe Realm: IPA.BASEOS.QE DNS Domain: ipa.baseos.qe IPA Server: server.ipa.baseos.qe BaseDN: dc=ipa,dc=baseos,dc=qe Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.BASEOS.QE Issuer: CN=Certificate Authority,O=IPA.BASEOS.QE Valid From: Tue Apr 30 14:33:21 2013 UTC Valid Until: Sat Apr 30 14:33:21 2033 UTC Enrolled in IPA realm IPA.BASEOS.QE Created /etc/ipa/default.conf Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.BASEOS.QE trying https://server.ipa.baseos.qe/ipa/xml Forwarding 'env' to server 'https://server.ipa.baseos.qe/ipa/xml' DNS server record set to: client.ipa.baseos.qe -> 192.168.100.250 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server 'https://server.ipa.baseos.qe/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service * Successfully enrolled machine in realm Output of getent.passwd: amy.qe:*:903600006:903600006:Amy Amy:/home/amy:/bin/sh [test]su - amy.qe Last login: Tue Jul 16 02:20:57 EDT 2013 from localhost on pts/2 -sh-4.2$ env |grep -e HOME -e SHELL SHELL=/bin/sh HOME=/home/amy [test]cat /etc/sssd/sssd.conf [domain/ipa.baseos.qe] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.baseos.qe id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.ipa.baseos.qe chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, server.ipa.baseos.qe ldap_tls_cacert = /etc/ipa/ca.crt realmd_tags = manages-system use_fully_qualified_names = True fallback_homedir = /home/%d/test/%u [sssd] services = nss, pam, ssh config_file_version = 2 domains = ipa.baseos.qe [nss] default_shell = /bin/ksh [pam] [sudo] [autofs] [ssh] [pac] [test]rpm -q sssd sssd-1.10.0-18.el7.x86_64 [test]rpm -q realmd realmd-0.14.2-3.el7.x86_64 (In reply to David Spurek from comment #4) > Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but > doesn't take effect. Realmd service is restarted after changes. Joining to > IPA domain. It's highly likely that the IPA users in question already have shell and home directory specified per account in the domain. This is about the *default* shell and home directory. So, unless I'm misdiagnosing this, NOTABUG for you. On the other hand still interested in responses to comment #3 (In reply to Stef Walter from comment #3) > The problem with this is that the default_shell setting is in the [nss] > section and is global to all sssd.conf domains. > > We need to figure out how to support custom admin modifications of > /etc/sssd/sssd.conf and not overwrite them every time we join a new domain. > > It may be that the user customizes /etc/sssd/sssd.conf and sets a > default_shell, and then joins a domain. realmd shouldn't overwrite it with > the defaults again. > > Patrik, do you have any ideas on how we could handle the above? Yes, sssd man page says: default_shell The default shell to use if the provider does not return one during lookup. This option supersedes any other shell options if it takes effect and can be set either in the [nss] section or per-domain. And I also tested it and it works as expected: the domain settings takes precedence over nss one. 0 [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [nss] default_shell = /bin/bash [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad 0 [root@rhel7 ~ ]# service sssd restart Redirecting to /bin/systemctl restart sssd.service 0 [root@rhel7 ~ ]# getent passwd amy.qe amy.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/bin/bash 0 [root@rhel7 ~ ]# ... [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [nss] default_shell = /bin/bash [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad default_shell = /usr/bin/sh 0 [root@rhel7 ~ ]# service sssd restart Redirecting to /bin/systemctl restart sssd.service 0 [root@rhel7 ~ ]# getent passwd amy.qe amy.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/usr/bin/sh 0 [root@rhel7 ~ ]# Created attachment 776888 [details]
Set sssd.conf default_shell per domain
This allows for much more predictable configuration, when an admin
has set the global option.
Attachment 776888 [details] pushed as ebd0468 - Set sssd.conf default_shell per domain
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |