Bug 967569
| Summary: | The default-home and default-shell of realmd.conf seems not working | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
| Component: | realmd | Assignee: | Stef Walter <stefw> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | dspurek, ebenes, pkis, stefw | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | realmd-0.14.3-1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 09:37:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 917637 | ||||||
| Attachments: |
|
||||||
|
Description
Patrik Kis
2013-05-27 13:24:23 UTC
The home directory takes effect for me. You need to remember to restart realmd after changing realmd.conf But the default shell does not get set appropriately. Thanks for catching that. The problem with this is that the default_shell setting is in the [nss] section and is global to all sssd.conf domains. We need to figure out how to support custom admin modifications of /etc/sssd/sssd.conf and not overwrite them every time we join a new domain. It may be that the user customizes /etc/sssd/sssd.conf and sets a default_shell, and then joins a domain. realmd shouldn't overwrite it with the defaults again. Patrik, do you have any ideas on how we could handle the above? Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but doesn't take effect. Realmd service is restarted after changes. Joining to IPA domain.
[users]
default-home = /home/%D/test/%U
default-shell = /bin/ksh
:: [ PASS ] :: Running 'cat /etc/realmd.conf' (Expected 0, got 0)
:: [ PASS ] :: Running 'systemctl restart realmd.service' (Expected 0, got 0)
realmd.service - Realm and Domain Configuration
Loaded: loaded (/usr/lib/systemd/system/realmd.service; static)
Active: active (running) since Tue 2013-07-16 02:13:00 EDT; 55ms ago
Docs: man:realmd(8)
Main PID: 10263 (realmd)
CGroup: name=systemd:/system/realmd.service
└─10263 /usr/lib64/realmd/realmd
Jul 16 02:12:40 client.ipa.baseos.qe systemd[1]: Starting Realm and Domain C....
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: Loaded settings from: /us...
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: holding daemon: startup
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: starting service
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: connected to bus
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: released daemon: startup
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: couldn't claim service na...
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: ** Message: couldn't clai...
Jul 16 02:13:00 client.ipa.baseos.qe realmd[10263]: claimed name on bus: org....
Jul 16 02:13:00 client.ipa.baseos.qe systemd[1]: Started Realm and Domain Co....
:: [ PASS ] :: Running 'systemctl status realmd.service' (Expected 0, got 0)
realm -v join --user=admin ipa.baseos.qe
* Resolving: _ldap._tcp.ipa.baseos.qe
* Performing LDAP DSE lookup on: 10.34.24.252
* Successfully discovered: ipa.baseos.qe
Password for admin:
* Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
* LANG=C /usr/sbin/ipa-client-install --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd
Discovery was successful!
Hostname: client.ipa.baseos.qe
Realm: IPA.BASEOS.QE
DNS Domain: ipa.baseos.qe
IPA Server: server.ipa.baseos.qe
BaseDN: dc=ipa,dc=baseos,dc=qe
Synchronizing time with KDC...
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.BASEOS.QE
Issuer: CN=Certificate Authority,O=IPA.BASEOS.QE
Valid From: Tue Apr 30 14:33:21 2013 UTC
Valid Until: Sat Apr 30 14:33:21 2033 UTC
Enrolled in IPA realm IPA.BASEOS.QE
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.BASEOS.QE
trying https://server.ipa.baseos.qe/ipa/xml
Forwarding 'env' to server 'https://server.ipa.baseos.qe/ipa/xml'
DNS server record set to: client.ipa.baseos.qe -> 192.168.100.250
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server 'https://server.ipa.baseos.qe/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
* /usr/bin/systemctl enable sssd.service
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service
* Successfully enrolled machine in realm
Output of getent.passwd:
amy.qe:*:903600006:903600006:Amy Amy:/home/amy:/bin/sh
[test]su - amy.qe
Last login: Tue Jul 16 02:20:57 EDT 2013 from localhost on pts/2
-sh-4.2$ env |grep -e HOME -e SHELL
SHELL=/bin/sh
HOME=/home/amy
[test]cat /etc/sssd/sssd.conf
[domain/ipa.baseos.qe]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.baseos.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.ipa.baseos.qe
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, server.ipa.baseos.qe
ldap_tls_cacert = /etc/ipa/ca.crt
realmd_tags = manages-system
use_fully_qualified_names = True
fallback_homedir = /home/%d/test/%u
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = ipa.baseos.qe
[nss]
default_shell = /bin/ksh
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[test]rpm -q sssd
sssd-1.10.0-18.el7.x86_64
[test]rpm -q realmd
realmd-0.14.2-3.el7.x86_64
(In reply to David Spurek from comment #4) > Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but > doesn't take effect. Realmd service is restarted after changes. Joining to > IPA domain. It's highly likely that the IPA users in question already have shell and home directory specified per account in the domain. This is about the *default* shell and home directory. So, unless I'm misdiagnosing this, NOTABUG for you. On the other hand still interested in responses to comment #3 (In reply to Stef Walter from comment #3) > The problem with this is that the default_shell setting is in the [nss] > section and is global to all sssd.conf domains. > > We need to figure out how to support custom admin modifications of > /etc/sssd/sssd.conf and not overwrite them every time we join a new domain. > > It may be that the user customizes /etc/sssd/sssd.conf and sets a > default_shell, and then joins a domain. realmd shouldn't overwrite it with > the defaults again. > > Patrik, do you have any ideas on how we could handle the above? Yes, sssd man page says: default_shell The default shell to use if the provider does not return one during lookup. This option supersedes any other shell options if it takes effect and can be set either in the [nss] section or per-domain. And I also tested it and it works as expected: the domain settings takes precedence over nss one. 0 [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [nss] default_shell = /bin/bash [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad 0 [root@rhel7 ~ ]# service sssd restart Redirecting to /bin/systemctl restart sssd.service 0 [root@rhel7 ~ ]# getent passwd amy.qe amy.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/bin/bash 0 [root@rhel7 ~ ]# ... [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [nss] default_shell = /bin/bash [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad default_shell = /usr/bin/sh 0 [root@rhel7 ~ ]# service sssd restart Redirecting to /bin/systemctl restart sssd.service 0 [root@rhel7 ~ ]# getent passwd amy.qe amy.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/usr/bin/sh 0 [root@rhel7 ~ ]# Created attachment 776888 [details]
Set sssd.conf default_shell per domain
This allows for much more predictable configuration, when an admin
has set the global option.
Attachment 776888 [details] pushed as ebd0468 - Set sssd.conf default_shell per domain
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |