Bug 1072458
| Summary: | [RFE] SSSD configuration file test tool (sssd_check) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Mark Heslin 🎸 <mheslin> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | grajaiya, jhrozek, lslebodn, mheslin, mkosek, mupadhye, pbrezina, prd-fedora, sbose, sgoveas |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | 7.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.14.0-2.el7 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 07:10:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1290382 | ||
| Bug Blocks: | 1292074, 1296125, 1313485 | ||
Upstream ticket: https://fedorahosted.org/sssd/ticket/2269 Moving to 7.1 for now as discussed on the SSSD meeting. Hi Jakub, I just wanted to check in and find out what the status is for this - is it still targeted to RHEL 7.1? I've had several customers with munged configuration files recently which reminded me to reach out for an update. Thanks, -m (In reply to Mark Heslin from comment #4) > Hi Jakub, > > I just wanted to check in and find out what the status is for this - is it > still targeted to RHEL 7.1? > > I've had several customers with munged configuration files recently which > reminded me to reach out for an update. > > Thanks, > > -m No it's not, sorry. Currently it's 7.2 at the earliest. It would be helpful if you could link the customer cases to the BZ so we know how many customers request the feature and plan accordingly. master: * e088912418fd4db750f2097dfde8ef9b77303f05 * 199984c7972272f8162a356cda139c22f6f08556 Tested with sssd-1.14.0-27.el7.x86_64 Steps followed during verification: 1) Install the sssd-tools package. 2) Create the sssd.conf. 3) Run sssctl config-check. config-check detects typos in option name (not value), typos in section name and misplaced options. Additionally the config-check also reports when something unexpected happens during configuration merging but does not check which option is missing. ------------------------------------------------------------- sssd.conf without any typos in option name and section name ------------------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------- sssd.conf with typos in option name ------------------------------------------------- #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LDAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'search_base' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0 ------------------------------------------------ sssd.conf with typos in section name ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = LDAP [domain/LAP] search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server ~]# sssctl config-check (Fri Sep 2 11:40:43:603218 2016) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [LDAP] (Fri Sep 2 11:40:43:603339 2016) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LDAP], skipping! (Fri Sep 2 11:40:43:603361 2016) [sssd] [confdb_get_domains] (0x0010): No properly configured domains, fatal error! . ------------------------------------------------ sssd.conf with misplaced option ------------------------------------------------ #cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP [domain/LDAP] services = nss, pam search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server.example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc debug_level = 10 [root@server sssd]# sssctl config-check Issues identified by validators: 1 [rule/allowed_domain_options]: Attribute 'services' is not allowed in section 'domain/LDAP'. Check for typos. Messages generated during configuration merging: 0 Used configuration snippet files: 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |
Description of problem: The sssd.conf file has many parameters and options but no clean, efficient way to check the file for correctness - typos, incorrect parameter contexts, leading spaces, etc. Some checking is done when sssd is started but if problems are encountered, the usual result is sssd fails to start and any warnings, errors are logged but not always useful. Having a stand-alone utility "sssd_check" (similar to the testparm tool included with Samba) has the potential to save much troubleshooting time for all. This makes good business sense given the fact that SSSD is installed by default on RHEL, and its interest and use continues to grow. Version-Release number of selected component (if applicable): RHEL 6.5+, RHEL 7+ How reproducible: n/a Steps to Reproduce: 1. n/a 2. 3. Actual results: n/a Expected results: n/a Additional info: From a high level sssd_check could operate (similar to Samba testparm) as follows: # sssd_check --help Usage: [OPTION...] <config_file> -v, --verbose Show default options -l, --skip-logic-checks Skip the global checks --show-all-parameters Show the parameters, type, possible values --parameter-name=STRING Limit testparm to a named parameter --section-name=STRING Limit testparm to a named section Help options: -?, --help Show this help message --usage Display brief usage message Common sssd options: -V, --version Print version Common sssd debugging: -d, --debuglevel=DEBUGLEVEL Set debug level Common sssd commandline config: --option=name=value Set sssd.conf option from command line Notes: 1. If no config_file is specified then the default /etc/sssd/sssd.conf is used 2. Comments are stripped out of the output Using the following file as an example: [sssd] config_file_version = 2 debug_level = 0 domains = refarch-ad.cloud.lab.eng.bos.redhat.com services = nss, pam # Uncomment/adjust as needed if IMU is not used: #override_homedir = /home/%d/%u #default_shell = /bin/bash [domain/refarch-ad.cloud.lab.eng.bos.redhat.com] id_provider = ad access_provider = ad # Permits offline logins: # cache_credentials = true # Use when service discovery not working: # ad_server = win-srv1.refarch-ad.cloud.lab.eng.bos.redhat.com # Enables use of POSIX UID's and GID's: ldap_id_mapping = false the examples below demonstrate it usage and output. ---------------------------- Example 1 - display version: ---------------------------- # check_sssd --version Version 1.2.3-456.el6.5 ------------------------------- Example 2 - check on good file: ------------------------------- # check_sssd Loading sssd config file from /etc/sssd/sssd.conf Loaded file OK. Server role: DOMAIN_MEMBER Press enter to see a dump of your service definitions [sssd] config_file_version = 2 debug_level = 0 domains = refarch-ad.cloud.lab.eng.bos.redhat.com services = nss, pam [domain/refarch-ad.cloud.lab.eng.bos.redhat.com] id_provider = ad access_provider = ad ldap_id_mapping = false --------------------------------------------------------------------- Example 3 - check on non-default file with bad parameter (foo = bar): --------------------------------------------------------------------- # check_sssd -f /etc/sssd/sssd.conf.bad Loading sssd config file from /etc/sssd/sssd.conf.bad Unknown parameter encountered: "foo" Ignoring unknown parameter "foo" Loaded file OK. Server role: DOMAIN_MEMBER Press enter to see a dump of your service definitions [sssd] config_file_version = 2 debug_level = 0 domains = refarch-ad.cloud.lab.eng.bos.redhat.com services = nss, pam [domain/refarch-ad.cloud.lab.eng.bos.redhat.com] id_provider = ad access_provider = ad ldap_id_mapping = false