[Freeipa-devel] [PATCH 0167] ipa-client-install: Configure sudo to use SSSD as data source
Tomas Babej
tbabej at redhat.com
Wed Apr 30 09:05:52 UTC 2014
On 03/24/2014 03:27 PM, Jan Pazdziora wrote:
> On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote:
>> On 03/24/2014 02:47 PM, Jan Pazdziora wrote:
>>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote:
>>>> Hi,
>>>>
>>>> Makes ipa-client-install configure SSSD as the data provider
>>>> for the sudo service by default. This behaviour can be disabled
>>>> by using --no-sudo flag.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3358
>>> Ack.
>>>
>>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without
>>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers
>>> added to /etc/nsswitch.conf.
>>>
>>> Rerun with --uninstall and run again with the --no-sudo parameter,
>>> those settings were not longer there.
>>>
>> Did you also do the functional test?
> No. I do not want to get dragged into the discussion of having the
> correct sssd and sudo and glibc versions and SELinux and stuff. The
> ticket explicitly talk about setting configuration in config files,
> which the patch does.
>
>> To ack and push this ticket, following
>> scenario needs to work:
> Consumption of those configuration changes is really different story,
> isn't it?
>
>> 1) IPA clients enroll against IPA server without --no-sudo
>> 2) IPA client user logs in, types "sudo -l", gets all allowed commands
>> (prerequisite is of course to have sudo commands defined on the IPA server)
>> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all
>> allowed commands
>>
>> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done
>>
>> For 3) to work, related systemd service preserving NIS domain name setting
>> needs to be enabled
> With the commit message only talking about configuring sssd, I assume
> the NIS domain name mentioned in the ticket will be done by some other
> patch.
>
> To me, the patch does what is advertised in the commit message, and is
> in line with what the ticket asks to be done.
>
Attached are rebased versions of the patches 113 and 167 (which was
marked as 157 in the thread previously by mistake).
There is a slight behaviour change in 167, if there is no sudoers line
in nsswitch.conf, we add both files and sss as sudoers sources.
I also developed CI test that covers the functionality of the IPA - sudo
integration feature, which is attached.
Please note that the last three tests are expected to fail until:
https://fedorahosted.org/freeipa/ticket/4324
is fixed.
--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0167-2-ipa-client-install-Configure-sudo-to-use-SSSD-as-dat.patch
Type: text/x-patch
Size: 4923 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140430/a222ad39/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0179-ipatests-Add-Sudo-integration-test.patch
Type: text/x-patch
Size: 16257 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140430/a222ad39/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0113-2-ipa-client-Set-NIS-domain-name-in-the-installer.patch
Type: text/x-patch
Size: 7323 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140430/a222ad39/attachment-0002.bin>
More information about the Freeipa-devel
mailing list