Bug 1088683 - ipa-client-install --preserve-sssd does not seem to preserve the sssd configuration
Summary: ipa-client-install --preserve-sssd does not seem to preserve the sssd configu...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
: 1188452 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-17 01:42 UTC by Michael Gregg
Modified: 2016-01-29 13:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
The ipa-client-install command does not process the --preserve-sssd option correctly when generating the IPA domain configuration in the sssd.conf file. As a consequence, the original configuration of the IPA domain is overwritten. To work around this problem, review sssd.conf after running ipa-client-install to identify and manually fix any unwanted changes.
Clone Of:
Environment:
Last Closed: 2016-01-29 13:20:07 UTC
Target Upstream Version:


Attachments (Terms of Use)
ipaclient install log from ipa install that removes some sssd config (30.33 KB, text/x-log)
2014-04-17 19:33 UTC, Michael Gregg
no flags Details

Description Michael Gregg 2014-04-17 01:42:43 UTC
Description of problem:
If the user chooses to preserve the sssd configuration, IPA will overwrite the existing configuration even with specifying --preserve-sssd 

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-25.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. create a sssd configuration in /etc/sssd/sssd.conf. 
2. ipa-client-install --server=$MASTER --password=$ADMINPW --unattended --realm=$RELM --domain=$DOMAIN --principal=$ADMINID --preserve-sssd
3. Observe that the contents of sssd.conf have been cleared.

Actual results:

The sssd config was wiped out and replaced.

Expected results:
I expect ipa to either error out, and not continue, or to integrate it's config with the running config where possible.

Additional info:

For a valid, easy to set up sssd.conf, I suggest adding the following to /etc/sssd/sssd.conf

[nss]
filter_users = root
filter_groups = root

Comment 2 Martin Kosek 2014-04-17 08:29:21 UTC
Please attach ipaclient-install.log to see the behavior.

ipa-client-install retains existing *functional* sssd.conf, I just re-tested with ipa-client-3.3.3-28.el7.x86_64:

====================================
# cat /etc/sssd/sssd.conf
[domain/LDAP]
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = LDAP
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
====================================

# ipa-client-install --domain mkosek-fedora20.test -p admin -w kokos123
Discovery was successful!
...
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

====================================
# cat /etc/sssd/sssd.conf
[domain/mkosek-fedora20.test]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mkosek-fedora20.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = vm-067.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.mkosek-fedora20.test
dns_discovery_domain = mkosek-fedora20.test
[domain/LDAP]
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = mkosek-fedora20.test, LDAP
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
====================================

As you see, DNS domains were merged, SSSD configuration was not lost.

Comment 3 Michael Gregg 2014-04-17 19:33:21 UTC
Created attachment 887258 [details]
ipaclient install log from ipa install that removes some sssd config

Comment 4 Michael Gregg 2014-04-17 19:35:54 UTC
I attached the log from a install that removes the lines from the [nss] section of sssd.conf. 

Prior to ipa-client-install, the nss section contained:

[nss]
filter_users = root
filter_groups = root


This was removed after ipa-client install. Is this because that section was not a functional config?

Comment 5 Martin Kosek 2014-04-18 07:35:32 UTC
Thanks. I finally see where the problem is. Log contains following messages:

2014-04-17T19:27:40Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2014-04-17T19:27:40Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2014-04-17T19:27:40Z INFO Domain testrelm.test is already configured in existing SSSD config, creating a new one.
2014-04-17T19:27:40Z INFO The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
2014-04-17T19:27:40Z INFO Configured /etc/sssd/sssd.conf

sssd.conf already contained configuration for the domain (testrelm.com) so it created a new configuration to avoid conflict. However, I do think that when --preserve-sssd flag is enabled, it should not create a new one but error out. Good catch.

I will open an upstream ticket.

Comment 6 Martin Kosek 2014-04-18 07:53:06 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4315

Comment 8 Xiyang Dong 2015-02-02 23:53:25 UTC
*** Bug 1188452 has been marked as a duplicate of this bug. ***

Comment 9 Martin Kosek 2016-01-29 13:20:07 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.


Note You need to log in before you can comment on or make changes to this bug.