[Freeipa-devel] [PATCH 0167] ipa-client-install: Configure sudo to use SSSD as data source

Alexander Bokovoy abokovoy at redhat.com
Fri May 9 10:58:59 UTC 2014 

On Thu, 08 May 2014, Alexander Bokovoy wrote:
>On Wed, 07 May 2014, Jakub Hrozek wrote:
>>On Wed, May 07, 2014 at 05:29:37PM +0200, Tomas Babej wrote:
>>>
>>>On 04/30/2014 02:44 PM, Jakub Hrozek wrote:
>>>> On Wed, Apr 30, 2014 at 11:05:52AM +0200, Tomas Babej wrote:
>>>>> On 03/24/2014 03:27 PM, Jan Pazdziora wrote:
>>>>>> On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote:
>>>>>>> On 03/24/2014 02:47 PM, Jan Pazdziora wrote:
>>>>>>>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Makes ipa-client-install configure SSSD as the data provider
>>>>>>>>> for the sudo service by default. This behaviour can be disabled
>>>>>>>>> by using --no-sudo flag.
>>>>>>>>>
>>>>>>>>> https://fedorahosted.org/freeipa/ticket/3358
>>>>>>>> Ack.
>>>>>>>>
>>>>>>>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without
>>>>>>>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers
>>>>>>>> added to /etc/nsswitch.conf.
>>>>>>>>
>>>>>>>> Rerun with --uninstall and run again with the --no-sudo parameter,
>>>>>>>> those settings were not longer there.
>>>>>>>>
>>>>>>> Did you also do the functional test?
>>>>>> No. I do not want to get dragged into the discussion of having the
>>>>>> correct sssd and sudo and glibc versions and SELinux and stuff. The
>>>>>> ticket explicitly talk about setting configuration in config files,
>>>>>> which the patch does.
>>>>>>
>>>>>>> To ack and push this ticket, following
>>>>>>> scenario needs to work:
>>>>>> Consumption of those configuration changes is really different story,
>>>>>> isn't it?
>>>>>>
>>>>>>> 1) IPA clients enroll against IPA server without --no-sudo
>>>>>>> 2) IPA client user logs in, types "sudo -l", gets all allowed commands
>>>>>>> (prerequisite is of course to have sudo commands defined on the IPA server)
>>>>>>> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all
>>>>>>> allowed commands
>>>>>>>
>>>>>>> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must be done
>>>>>>>
>>>>>>> For 3) to work, related systemd service preserving NIS domain name setting
>>>>>>> needs to be enabled
>>>>>> With the commit message only talking about configuring sssd, I assume
>>>>>> the NIS domain name mentioned in the ticket will be done by some other
>>>>>> patch.
>>>>>>
>>>>>> To me, the patch does what is advertised in the commit message, and is
>>>>>> in line with what the ticket asks to be done.
>>>>>>
>>>>> Attached are rebased versions of the patches 113 and 167 (which was
>>>>> marked as 157 in the thread previously by mistake).
>>>>>
>>>>> There is a slight behaviour change in 167, if there is no sudoers line
>>>>> in nsswitch.conf, we add both files and sss as sudoers sources.
>>>>>
>>>>> I also developed CI test that covers the functionality of the IPA - sudo
>>>>> integration feature, which is attached.
>>>>>
>>>>> Please note that the last three tests are expected to fail until:
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4324
>>>>>
>>>>> is fixed.
>>>>>
>>>>> --
>>>>> Tomas Babej
>>>>> Associate Software Engineer | Red Hat | Identity Management
>>>>> RHCE | Brno Site | IRC: tbabej | freeipa.org
>>>>>
>>>> Hi,
>>>>
>>>> I haven't done a thorough review, but the patch looks good to me in
>>>> general -- in other words, seems to cover what I've been doing manually
>>>> for my test setups.
>>>>
>>>> My only suggestion (maybe for future) would be to split changing the
>>>> nsswitch.conf into its own separate helper class or a function, because
>>>> you might want to do the same change for automount or other services in
>>>> nsswitch.conf.
>>>>
>>>> But I think this version is OK at the moment.
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>
>>>I created a rather general function for editing the nsswitch.conf as
>>>requesting.
>>>
>>>Updated patch attached.
>>
>>Thanks, looks good to me, although I haven't done a thorough review.
>ACK from my side too. I spent some time today looking through the
>Jenkins job with these patches and apart from three failures in the new
>sudo test suite everything looks fine. These failures were around dozen
>in past two weeks and this patchset reduces them as a work in progress.
>
>Given that the tests only run against in CI and are fresh new, I'm fine
>with committing the patchset, the fixes can come next week.
Pushed to master.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list