Bug 967569 - The default-home and default-shell of realmd.conf seems not working
The default-home and default-shell of realmd.conf seems not working
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Stef Walter
David Spurek
:
Depends On:
Blocks: 917637
  Show dependency treegraph
 
Reported: 2013-05-27 09:24 EDT by Patrik Kis
Modified: 2015-03-02 00:27 EST (History)
4 users (show)

See Also:
Fixed In Version: realmd-0.14.3-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:37:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Set sssd.conf default_shell per domain (3.58 KB, patch)
2013-07-22 08:35 EDT, Stef Walter
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 66933 None None None Never

  None (edit)
Description Patrik Kis 2013-05-27 09:24:23 EDT
Description of problem:
The two "users" options in realmd.conf seems not take effect. Or am I expecting something that is not the function of these options.
The sssd.conf after join shows also the default and not the configured values.

Version-Release number of selected component (if applicable):
realmd-0.14.1-1.el7

How reproducible:
always

Steps to Reproduce:

# cat /etc/realmd.conf
[service]
debug = yes
automatic-install = yes

[users]
default-home = /home/%U
default-shell = /bin/sh

[ad.baseos.qe]
user-principal = yes

#
# rm -f /etc/sssd/sssd.conf
## realm -v join -U Bender-admin ad.baseos.qe
 * Resolving: _ldap._tcp.dc._msdcs.ad.baseos.qe
 * Sending MS-CLDAP ping to: 10.34.25.20
 * Successfully discovered: ad.baseos.qe
Password for Bender-admin: 
 * Required files: /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.R4PUXW -U Bender-admin ads join ad.baseos.qe createupn
Enter Bender-admin's password:
DNS update failed: NT_STATUS_UNSUCCESSFUL
Using short domain name -- AD
Joined 'PKIS' to dns domain 'ad.baseos.qe'
DNS Update for pkis.ipa.baseos.qe failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.R4PUXW -U Bender-admin ads keytab create
Enter Bender-admin's password:
 * /usr/bin/systemctl enable sssd.service
ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service'
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable sssd.service
 * Successfully enrolled machine in realm
#
#
# cat /etc/sssd/sssd.conf

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
#

---

$ sshpass -e ssh Bender@ad.baseos.qe@192.168.100.19
...
Last login: Mon May 27 15:07:31 2013 from 192.168.100.1
[bender@ad.baseos.qe@pkis ~]$ 
[bender@ad.baseos.qe@pkis ~]$ env |grep -e HOME -e SHELL
SHELL=/bin/bash
HOME=/home/ad.baseos.qe/bender
[bender@ad.baseos.qe@pkis ~]$
Comment 2 Stef Walter 2013-07-15 11:49:01 EDT
The home directory takes effect for me. You need to remember to restart realmd after changing realmd.conf

But the default shell does not get set appropriately. Thanks for catching that.
Comment 3 Stef Walter 2013-07-15 13:54:20 EDT
The problem with this is that the default_shell setting is in the [nss] section and is global to all sssd.conf domains.

We need to figure out how to support custom admin modifications of /etc/sssd/sssd.conf and not overwrite them every time we join a new domain.

It may be that the user customizes /etc/sssd/sssd.conf and sets a default_shell, and then joins a domain. realmd shouldn't overwrite it with the defaults again.

Patrik, do you have any ideas on how we could handle the above?
Comment 4 David Spurek 2013-07-16 02:31:11 EDT
Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but doesn't take effect. Realmd service is restarted after changes. Joining to IPA domain.

[users]
default-home = /home/%D/test/%U
default-shell = /bin/ksh
:: [   PASS   ] :: Running 'cat /etc/realmd.conf' (Expected 0, got 0)

:: [   PASS   ] :: Running 'systemctl restart realmd.service' (Expected 0, got 0)
realmd.service - Realm and Domain Configuration
   Loaded: loaded (/usr/lib/systemd/system/realmd.service; static)
   Active: active (running) since Tue 2013-07-16 02:13:00 EDT; 55ms ago
     Docs: man:realmd(8)
 Main PID: 10263 (realmd)
   CGroup: name=systemd:/system/realmd.service
           └─10263 /usr/lib64/realmd/realmd

Jul 16 02:12:40 client.ipa.baseos.qe systemd[1]: Starting Realm and Domain C....
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: Loaded settings from: /us...
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: holding daemon: startup
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: starting service
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: connected to bus
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: released daemon: startup
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: couldn't claim service na...
Jul 16 02:12:40 client.ipa.baseos.qe realmd[10263]: ** Message: couldn't clai...
Jul 16 02:13:00 client.ipa.baseos.qe realmd[10263]: claimed name on bus: org....
Jul 16 02:13:00 client.ipa.baseos.qe systemd[1]: Started Realm and Domain Co....
:: [   PASS   ] :: Running 'systemctl status realmd.service' (Expected 0, got 0)

realm -v join --user=admin ipa.baseos.qe
 * Resolving: _ldap._tcp.ipa.baseos.qe
 * Performing LDAP DSE lookup on: 10.34.24.252
 * Successfully discovered: ipa.baseos.qe
Password for admin: 
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd
Discovery was successful!
Hostname: client.ipa.baseos.qe
Realm: IPA.BASEOS.QE
DNS Domain: ipa.baseos.qe
IPA Server: server.ipa.baseos.qe
BaseDN: dc=ipa,dc=baseos,dc=qe
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.BASEOS.QE
    Issuer:      CN=Certificate Authority,O=IPA.BASEOS.QE
    Valid From:  Tue Apr 30 14:33:21 2013 UTC
    Valid Until: Sat Apr 30 14:33:21 2033 UTC

Enrolled in IPA realm IPA.BASEOS.QE
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.BASEOS.QE
trying https://server.ipa.baseos.qe/ipa/xml
Forwarding 'env' to server 'https://server.ipa.baseos.qe/ipa/xml'
DNS server record set to: client.ipa.baseos.qe -> 192.168.100.250
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server 'https://server.ipa.baseos.qe/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config

Client configuration complete.
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service
 * Successfully enrolled machine in realm


Output of getent.passwd:
amy@ipa.baseos.qe:*:903600006:903600006:Amy Amy:/home/amy:/bin/sh

[test]su - amy@ipa.baseos.qe
Last login: Tue Jul 16 02:20:57 EDT 2013 from localhost on pts/2
-sh-4.2$ env |grep -e HOME -e SHELL
SHELL=/bin/sh
HOME=/home/amy


[test]cat /etc/sssd/sssd.conf
[domain/ipa.baseos.qe]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.baseos.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.ipa.baseos.qe
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, server.ipa.baseos.qe
ldap_tls_cacert = /etc/ipa/ca.crt
realmd_tags = manages-system
use_fully_qualified_names = True
fallback_homedir = /home/%d/test/%u
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = ipa.baseos.qe
[nss]
default_shell = /bin/ksh

[pam]

[sudo]

[autofs]

[ssh]

[pac]


[test]rpm -q sssd
sssd-1.10.0-18.el7.x86_64
[test]rpm -q realmd
realmd-0.14.2-3.el7.x86_64
Comment 5 Stef Walter 2013-07-16 06:19:34 EDT
(In reply to David Spurek from comment #4)
> Shell and home are correctly set in /etc/sssd/sssd.conf in my case, but
> doesn't take effect. Realmd service is restarted after changes. Joining to
> IPA domain.

It's highly likely that the IPA users in question already have shell and home directory specified per account in the domain. This is about the *default* shell and home directory. So, unless I'm misdiagnosing this, NOTABUG for you.

On the other hand still interested in responses to comment #3
Comment 6 Patrik Kis 2013-07-16 07:34:46 EDT
(In reply to Stef Walter from comment #3)
> The problem with this is that the default_shell setting is in the [nss]
> section and is global to all sssd.conf domains.
> 
> We need to figure out how to support custom admin modifications of
> /etc/sssd/sssd.conf and not overwrite them every time we join a new domain.
> 
> It may be that the user customizes /etc/sssd/sssd.conf and sets a
> default_shell, and then joins a domain. realmd shouldn't overwrite it with
> the defaults again.
> 
> Patrik, do you have any ideas on how we could handle the above?

Yes, sssd man page says:

default_shell
 The default shell to use if the provider does not return one during lookup. This option supersedes any other shell options if it takes effect and can be set either in the [nss] section or per-domain.

And I also tested it and it works as expected: the domain settings takes precedence over nss one.


0 [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
0 [root@rhel7 ~ ]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
0 [root@rhel7 ~ ]# getent passwd amy@ad.baseos.qe
amy@ad.baseos.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/bin/bash
0 [root@rhel7 ~ ]# 

...

 [root@rhel7 ~ ]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
default_shell = /usr/bin/sh
0 [root@rhel7 ~ ]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
0 [root@rhel7 ~ ]# getent passwd amy@ad.baseos.qe
amy@ad.baseos.qe:*:1197601113:1197600513:Amy:/home/ad.baseos.qe/amy:/usr/bin/sh
0 [root@rhel7 ~ ]#
Comment 7 Stef Walter 2013-07-22 08:35:15 EDT
Created attachment 776888 [details]
Set sssd.conf default_shell per domain

This allows for much more predictable configuration, when an admin
has set the global option.
Comment 8 Stef Walter 2013-07-22 11:00:25 EDT
Attachment 776888 [details] pushed as ebd0468 - Set sssd.conf default_shell per domain
Comment 10 Ludek Smid 2014-06-13 05:37:59 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.