[Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf
Alexander Bokovoy
abokovoy at redhat.com
Sat May 28 20:38:55 UTC 2016
On Sat, 28 May 2016, Robbie Harwood wrote:
>Alexander Bokovoy <abokovoy at redhat.com> writes:
>
>> On Fri, 27 May 2016, Robbie Harwood wrote:
>>>Stanislav Laznicka <slaznick at redhat.com> writes:
>>>
>>>> From 7a55f169181ab8647cd2d919f35c004b14d5bc7f Mon Sep 17 00:00:00 2001
>>>> From: Stanislav Laznicka <slaznick at redhat.com>
>>>> Date: Fri, 27 May 2016 16:12:31 +0200
>>>> Subject: [PATCH] Added krb5.conf.d/ to included dirs in krb5.conf
>>>>
>>>> The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5912
>>>
>>> Thank you for working on this. Is the intent on the part of FreeIPA to
>>> keep a separate, freeipa-speicifc directory? And if so, can I suggest
>>> that we not do that?
>>
>> Which directory are you talking about? /var/lib/sss/pubconf/krb5.include.d/?
>
>Yes, this one.
>
>> SSSD cannot write to /etc and I don't think we have to change it.
>
>Can you elaborate on this? Why can't sssd write the stuff it puts in
>/var/lib into /etc, or symlink it?
Writing to /etc is considered a privilege of a system administrator. A
runtime override is typically done outside it, in /run like systemd
allows for its configuration for volatile setups and in /var/lib
for non-volatile ones. The latter has long been a state of affairs in
Linux.
Currently SSSD runs under root but it is already made possible to run as
non-root user and we intend to switch to that mode in future releases.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list