[Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Martin Basti
mbasti at redhat.com
Sun Jun 5 07:48:07 UTC 2016
On 02.06.2016 19:59, Martin Basti wrote:
>
>
>
> On 31.05.2016 19:19, Robbie Harwood wrote:
>> Alexander Bokovoy<abokovoy at redhat.com> writes:
>>
>>> On Sat, 28 May 2016, Robbie Harwood wrote:
>>>> Alexander Bokovoy<abokovoy at redhat.com> writes:
>>>>> On Fri, 27 May 2016, Robbie Harwood wrote:
>>>>>> Stanislav Laznicka<slaznick at redhat.com> writes:
>>>>>>> From: Stanislav Laznicka<slaznick at redhat.com>
>>>>>>>
>>>>>>> The include of /etc/krb5.conf.d/ is required for crypto-policies
>>>>>>> to work properly
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/5912
>>>>>> Thank you for working on this. Is the intent on the part of
>>>>>> FreeIPA to keep a separate, freeipa-speicifc directory? And if so,
>>>>>> can I suggest that we not do that?
>>>>> SSSD cannot write to /etc and I don't think we have to change it.
>>>> Can you elaborate on this? Why can't sssd write the stuff it puts in
>>>> /var/lib into /etc, or symlink it?
>>> Writing to /etc is considered a privilege of a system administrator. A
>>> runtime override is typically done outside it, in /run like systemd
>>> allows for its configuration for volatile setups and in /var/lib
>>> for non-volatile ones. The latter has long been a state of affairs in
>>> Linux.
>>>
>>> Currently SSSD runs under root but it is already made possible to run as
>>> non-root user and we intend to switch to that mode in future releases.
>> I guess I don't see a meaningful difference here. We're still writing
>> to /etc when we modify krb5.conf.
>>
>> My reading of the FHS is that this is not an intended use of /var/lib:
>> /var/lib is for state information [0], and the only time the FHS
>> mentions config files is to point out that they go in the /etc tree.
>>
>> Anyway, I've said my piece and won't derail this further. If you want
>> to merge, this is a cosmetic issue and I can live with it.
>>
>> [0]:http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION
>>
>>
> ACK, this patch works as expected. If nobody is against it, I will
> push it (tomorrow).
>
> Martin^2
>
>
Pushed to master: 2026677635c6d4b086670cb9d8f3570bd1b95c27
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160605/203146f5/attachment.htm>
More information about the Freeipa-devel
mailing list