Red Hat Bugzilla – Bug 1088683
ipa-client-install --preserve-sssd does not seem to preserve the sssd configuration
Last modified: 2016-01-29 08:20:07 EST
Description of problem: If the user chooses to preserve the sssd configuration, IPA will overwrite the existing configuration even with specifying --preserve-sssd Version-Release number of selected component (if applicable): ipa-client-3.0.0-25.el6.x86_64 How reproducible: always Steps to Reproduce: 1. create a sssd configuration in /etc/sssd/sssd.conf. 2. ipa-client-install --server=$MASTER --password=$ADMINPW --unattended --realm=$RELM --domain=$DOMAIN --principal=$ADMINID --preserve-sssd 3. Observe that the contents of sssd.conf have been cleared. Actual results: The sssd config was wiped out and replaced. Expected results: I expect ipa to either error out, and not continue, or to integrate it's config with the running config where possible. Additional info: For a valid, easy to set up sssd.conf, I suggest adding the following to /etc/sssd/sssd.conf [nss] filter_users = root filter_groups = root
Please attach ipaclient-install.log to see the behavior. ipa-client-install retains existing *functional* sssd.conf, I just re-tested with ipa-client-3.3.3-28.el7.x86_64: ==================================== # cat /etc/sssd/sssd.conf [domain/LDAP] cache_credentials = TRUE id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = LDAP [nss] [pam] [sudo] [autofs] [ssh] [pac] ==================================== # ipa-client-install --domain mkosek-fedora20.test -p admin -w kokos123 Discovery was successful! ... SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. ==================================== # cat /etc/sssd/sssd.conf [domain/mkosek-fedora20.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mkosek-fedora20.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = vm-067.example.com chpass_provider = ipa ipa_server = _srv_, ipa.mkosek-fedora20.test dns_discovery_domain = mkosek-fedora20.test [domain/LDAP] cache_credentials = TRUE id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = mkosek-fedora20.test, LDAP [nss] [pam] [sudo] [autofs] [ssh] [pac] ==================================== As you see, DNS domains were merged, SSSD configuration was not lost.
Created attachment 887258 [details] ipaclient install log from ipa install that removes some sssd config
I attached the log from a install that removes the lines from the [nss] section of sssd.conf. Prior to ipa-client-install, the nss section contained: [nss] filter_users = root filter_groups = root This was removed after ipa-client install. Is this because that section was not a functional config?
Thanks. I finally see where the problem is. Log contains following messages: 2014-04-17T19:27:40Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2014-04-17T19:27:40Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2014-04-17T19:27:40Z INFO Domain testrelm.test is already configured in existing SSSD config, creating a new one. 2014-04-17T19:27:40Z INFO The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. 2014-04-17T19:27:40Z INFO Configured /etc/sssd/sssd.conf sssd.conf already contained configuration for the domain (testrelm.com) so it created a new configuration to avoid conflict. However, I do think that when --preserve-sssd flag is enabled, it should not create a new one but error out. Good catch. I will open an upstream ticket.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4315
*** Bug 1188452 has been marked as a duplicate of this bug. ***
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux. Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.