[Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

Tue May 9 14:25:52 UTC 2017

Prasun Gera wrote:
> Just writing to say that the automount scripts still seem to be quite
> broken in RHEL 7.3. I did a couple of client installs recently,
> and ipa-client-automount --install completed successfully, but didn't
> add sss to /etc/nsswitch.conf. By now, I've got used to this pattern. So
> I look for the presence or absence of sss in nsswitch.conf after running
> any of these scripts, since that seems to be the most common issue.

https://bugzilla.redhat.com/show_bug.cgi?id=1392540

rob

> 
> On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy <abokovoy at redhat.com
> <mailto:abokovoy at redhat.com>> wrote:
> 
>     On Wed, 02 Sep 2015, Prasun Gera wrote:
> 
>         I have zero confidence in any of the install and uninstall
>         scripts. And
>         this is on RHEL systems. On unofficial ones like Ubuntu, things
>         are even
>         more broken. I really like freeipa, but so far even in a
>         smallish lab
>         environment, it has been a nightmare. I am really tempted to
>         just go back
>         to NIS. Does anyone have any ideas or proposals for making
>         things more
>         robust ? At the very least, I think that these sort of
>         modifications to
>         system files should only happen with package install/removal.
>         Any changes
>         that ipa's scripts do should be local to ipa's internal state.
>         Better would
>         be to have an internal ipa database sort of thing which keeps
>         track of what
>         the current state is so that even if a script dies, which has
>         happened
>         often, the next attempt reads the database and figures out what
>         happened
>         earlier.
> 
>     File bugs with enough details. It is the only reliable way to fix any
>     issues where environments differ. Install/uninstall scripts work for
>     fresh installs in RHEL and Fedora because this is what is tested. If you
>     have repurposed machines from some other setups, things might differ and
>     only you know what is in your environment.
> 
>     That's not bad or good, that's just different -- the more different
>     environments we see, more robust code can be added. People are
>     infinitely more clever than computers when it comes to configuration
>     files' format mangling.
> 
>     I've seen multiple cases where a claim of 'ipa scripts broke my
>     configuration' was later retracted saying that puppet or other SCM run
>     afterwards did these changes. That just happen, if there are many
>     elephants dancing in the room, a careful coordination is always a good
>     idea.
> 
>     Coming back to your issues, please file bugs -- either upstream or
>     downstream, via distributions, whatever way is more suitable to you.
>     Contributing 'broken' config files would be good too.
> 
> 
>     -- 
>     / Alexander Bokovoy
> 
> 
> 
>