Bug 1575538 - realm join should not enable use_fully_qualified_names by default
Summary: realm join should not enable use_fully_qualified_names by default
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: realmd
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sumit Bose
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1619162
TreeView+ depends on / blocked
 
Reported: 2018-05-07 08:46 UTC by Martin Pitt
Modified: 2018-08-22 12:58 UTC (History)
7 users (show)

Fixed In Version: realmd-0.16.3-15.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1619162 (view as bug list)
Environment:
Last Closed: 2018-08-22 10:54:29 UTC
Type: Bug


Attachments (Terms of Use)

Description Martin Pitt 2018-05-07 08:46:59 UTC
Description of problem: Currently `realm join DOMAIN.NAME` always enables `use_fully_qualified_names = True` in /etc/sssd/sssd.conf when joining an IPA domain. This is inconsistent with the FreeIPA documentation and a direct invocation of `ipa-client-install`, which leaves the option to `False`.

This also breaks the FreeIPA documentation that assumes that unqualified user names will get resolved to the IPA users.

Version-Release number of selected component (if applicable):

realmd-0.16.3-7.fc27.x86_64

How reproducible: Always


Steps to Reproduce:
1. realm join MY.DOMAIN
2. id admin

Actual results:

id: ‘admin’: no such user

Expected results:

uid=953000000(admin) gid=953000000(admins) groups=953000000(admins)


Additional info:

There is a lengthy discussion about this on https://pagure.io/freeipa/issue/5350 .

Comment 1 Martin Pitt 2018-05-07 08:52:51 UTC
Example of FreeIPA installation documentation that doesn't work: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-test

If the default behaviour really cannot be changed for backwards compatibility reasons, then could `realm join` at least get an option to leave use_fully_qualified_names alone? (But consider that it would then be inconsistent with the FreeIPA developer's intention forever).

Comment 2 Sumit Bose 2018-05-07 09:40:43 UTC
You can already achieve this by calling:

 echo -e '[domain.name]\nfully-qualified-names = no'  >> /etc/realmd.conf

before calling 'realm join domain.name'.

Would this be sufficient?

Comment 3 Martin Pitt 2018-05-07 09:50:48 UTC
Changing configuration files (regardless of realmd.conf or sssd.conf) works of course. My point is that this does not appear to be a good default behaviour.

I'm asking in the context of Cockpit. When joining a domain through Cockpit's UI (which uses realm join), this really should not change global configuration files: this second-guesses what packages do and makes it much harder to reproduce the same behaviour on the command line. In other words, clicking "join a domain" in Cockpit should behave the same as "realm join".

But this isn't cockpit specific, but a question of what the "qualified domains" default is intended to be. This is currently different between IPA and realm, but shouldn't.

Comment 4 Dmitri Pal 2018-05-17 17:17:45 UTC
I agree with Martin here. We have features now to help to use short names in the mixed environments so we definitely do not want to force people to always use FQDN.

Comment 5 Tomas Kovar 2018-05-22 13:58:31 UTC
(In reply to Sumit Bose from comment #2)
> You can already achieve this by calling:
> 
>  echo -e '[domain.name]\nfully-qualified-names = no'  >> /etc/realmd.conf
> 
> before calling 'realm join domain.name'.
> 
> Would this be sufficient?

'realm join' is also being called by gnome-initial-setup, when joining the freshly installed computer into domain. Since F28, anaconda won't allow to set root password while installing, so you do not have a chance to edit a config file - no root, no local users and no sudoers exists yet. After joining the domain with fully-qualified-names = yes, FreeIPA sudoers rules won't work.

Currently as it is, the only way to get a root/sudo at a F28 machine joined by the initial setup into domain is via recovery medium.

Comment 6 Sumit Bose 2018-08-15 09:09:14 UTC
I will change the default for IPA so that 'use_fully_qualified_names = False' is used.

Do you think this is sufficient or is an additional command line option needed as well?

Comment 7 Martin Pitt 2018-08-15 10:17:41 UTC
From my POV changing the default is sufficient, then it's consistent with FreeIPA's default. Thanks!

Comment 8 Tomas Kovar 2018-08-20 11:24:42 UTC
(In reply to Sumit Bose from comment #6)
> I will change the default for IPA so that 'use_fully_qualified_names =
> False' is used.
> 
> Do you think this is sufficient or is an additional command line option
> needed as well?

In Fedora 28, after realm join, I had to run 'authselect select sssd with-mkhomedir with-sudo'. For sssd, there are many more toggles, that may be of interest, but I think that configuring sudo is important. Is there any way to run authselect as a part of the join?

Comment 9 Sumit Bose 2018-08-20 14:03:23 UTC
(In reply to Tomas Kovar from comment #8)
> (In reply to Sumit Bose from comment #6)
> > I will change the default for IPA so that 'use_fully_qualified_names =
> > False' is used.
> > 
> > Do you think this is sufficient or is an additional command line option
> > needed as well?
> 
> In Fedora 28, after realm join, I had to run 'authselect select sssd
> with-mkhomedir with-sudo'. For sssd, there are many more toggles, that may
> be of interest, but I think that configuring sudo is important. Is there any
> way to run authselect as a part of the join?

I think the reason that you need to call authselect after join is that realmd already calls authselect, see /usr/lib/realmd/realmd-distro.conf for the command.

ipa-client-install should already call 'authselect select sssd with-mkhomedir with-sudo' but after ipa-client-install finished, realmd calls the sssd-enable-logins from  /usr/lib/realmd/realmd-distro.conf as well. Here 'authselect select sssd with-mkhomedir --force' is called which I guess would disable sudo again.

Pavel, do you think it would be good to extend the realmd command like:

... authselect current --raw | grep -q 'sssd.*with-mkhomedir' || /usr/bin/authselect select sssd with-mkhomedir --force ...

so that authselect only set the config in case it does not match the expectations. Or can you think of a more elegant way to make sure the settings done my ipa-client-install are not overwritten?

Tomas, would you mind to open a new ticket for this issue?

Comment 10 Pavel Březina 2018-08-21 07:56:49 UTC
What is the intention? Maybe you do not have to call authselect for IPA at all since it is already called by ipa-client-install?

There is also 'authselect enable-feature' command that will enable e.g. with-mkhomedir in currently selected profile. There is nothing else at the moment, but we can implement something if needed.

Comment 11 Tomas Kovar 2018-08-22 12:58:05 UTC
> Tomas, would you mind to open a new ticket for this issue?

Added as #1620097.


Note You need to log in before you can comment on or make changes to this bug.