Description of problem: Currently `realm join DOMAIN.NAME` always enables `use_fully_qualified_names = True` in /etc/sssd/sssd.conf when joining an IPA domain. This is inconsistent with the FreeIPA documentation and a direct invocation of `ipa-client-install`, which leaves the option to `False`.
This also breaks the FreeIPA documentation that assumes that unqualified user names will get resolved to the IPA users.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. realm join MY.DOMAIN
2. id admin
id: ‘admin’: no such user
uid=953000000(admin) gid=953000000(admins) groups=953000000(admins)
There is a lengthy discussion about this on https://pagure.io/freeipa/issue/5350 .
Example of FreeIPA installation documentation that doesn't work: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-test
If the default behaviour really cannot be changed for backwards compatibility reasons, then could `realm join` at least get an option to leave use_fully_qualified_names alone? (But consider that it would then be inconsistent with the FreeIPA developer's intention forever).
You can already achieve this by calling:
echo -e '[domain.name]\nfully-qualified-names = no' >> /etc/realmd.conf
before calling 'realm join domain.name'.
Would this be sufficient?
Changing configuration files (regardless of realmd.conf or sssd.conf) works of course. My point is that this does not appear to be a good default behaviour.
I'm asking in the context of Cockpit. When joining a domain through Cockpit's UI (which uses realm join), this really should not change global configuration files: this second-guesses what packages do and makes it much harder to reproduce the same behaviour on the command line. In other words, clicking "join a domain" in Cockpit should behave the same as "realm join".
But this isn't cockpit specific, but a question of what the "qualified domains" default is intended to be. This is currently different between IPA and realm, but shouldn't.
I agree with Martin here. We have features now to help to use short names in the mixed environments so we definitely do not want to force people to always use FQDN.
(In reply to Sumit Bose from comment #2)
> You can already achieve this by calling:
> echo -e '[domain.name]\nfully-qualified-names = no' >> /etc/realmd.conf
> before calling 'realm join domain.name'.
> Would this be sufficient?
'realm join' is also being called by gnome-initial-setup, when joining the freshly installed computer into domain. Since F28, anaconda won't allow to set root password while installing, so you do not have a chance to edit a config file - no root, no local users and no sudoers exists yet. After joining the domain with fully-qualified-names = yes, FreeIPA sudoers rules won't work.
Currently as it is, the only way to get a root/sudo at a F28 machine joined by the initial setup into domain is via recovery medium.
I will change the default for IPA so that 'use_fully_qualified_names = False' is used.
Do you think this is sufficient or is an additional command line option needed as well?
From my POV changing the default is sufficient, then it's consistent with FreeIPA's default. Thanks!
(In reply to Sumit Bose from comment #6)
> I will change the default for IPA so that 'use_fully_qualified_names =
> False' is used.
> Do you think this is sufficient or is an additional command line option
> needed as well?
In Fedora 28, after realm join, I had to run 'authselect select sssd with-mkhomedir with-sudo'. For sssd, there are many more toggles, that may be of interest, but I think that configuring sudo is important. Is there any way to run authselect as a part of the join?
(In reply to Tomas Kovar from comment #8)
> (In reply to Sumit Bose from comment #6)
> > I will change the default for IPA so that 'use_fully_qualified_names =
> > False' is used.
> > Do you think this is sufficient or is an additional command line option
> > needed as well?
> In Fedora 28, after realm join, I had to run 'authselect select sssd
> with-mkhomedir with-sudo'. For sssd, there are many more toggles, that may
> be of interest, but I think that configuring sudo is important. Is there any
> way to run authselect as a part of the join?
I think the reason that you need to call authselect after join is that realmd already calls authselect, see /usr/lib/realmd/realmd-distro.conf for the command.
ipa-client-install should already call 'authselect select sssd with-mkhomedir with-sudo' but after ipa-client-install finished, realmd calls the sssd-enable-logins from /usr/lib/realmd/realmd-distro.conf as well. Here 'authselect select sssd with-mkhomedir --force' is called which I guess would disable sudo again.
Pavel, do you think it would be good to extend the realmd command like:
... authselect current --raw | grep -q 'sssd.*with-mkhomedir' || /usr/bin/authselect select sssd with-mkhomedir --force ...
so that authselect only set the config in case it does not match the expectations. Or can you think of a more elegant way to make sure the settings done my ipa-client-install are not overwritten?
Tomas, would you mind to open a new ticket for this issue?
What is the intention? Maybe you do not have to call authselect for IPA at all since it is already called by ipa-client-install?
There is also 'authselect enable-feature' command that will enable e.g. with-mkhomedir in currently selected profile. There is nothing else at the moment, but we can implement something if needed.
> Tomas, would you mind to open a new ticket for this issue?
Added as #1620097.