[Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it

Stephen Gallagher sgallagh at redhat.com
Tue Sep 13 13:18:09 UTC 2011 

On Tue, 2011-09-13 at 15:08 +0200, Martin Kosek wrote:
> On Tue, 2011-09-13 at 15:11 +0300, Alexander Bokovoy wrote:
> > On Thu, 08 Sep 2011, Alexander Bokovoy wrote:
> > 
> > > On Wed, 07 Sep 2011, Stephen Gallagher wrote:
> > > 
> > > > On Wed, 2011-09-07 at 16:15 +0300, Alexander Bokovoy wrote:
> > > > > Hi!
> > > > > 
> > > > > When modifying SSSD configuration, attempt to add new domain rather 
> > > > > than replacing whole configuration file.
> > > > > 
> > > > > Only replace file in case it is impossible to parse it by current SSSD 
> > > > > version.
> > > > > 
> > > > > https://fedorahosted.org/freeipa/ticket/1750
> > > > 
> > > > Looks good to me. Ack.
> > > Unfortunately, there is a bug in libini_config that prevents modifying 
> > > existing sssd configuration as it becomes unreadable by libini_config.
> > > 
> > > https://fedorahosted.org/sssd/ticket/991
> > > 
> > > I would suggest to postpone this patch until libini_config bug is 
> > > fixed and released.
> > After some research it appears there is no issue with libini_config, 
> > SSSD happily reads configs amended by ipa-client-install, with or 
> > without empty line between sections.
> > 
> > The issue Marko was seeing in SSSD991 or FreeIPA1174 is unrelated to 
> > this change. It is an issue of timing -- by time we ask for 'getent 
> > passwd admin', SSSD might have not started its providers. We are 
> > trying to wait 1 second and do re-try for 5 times but some people have 
> > experienced delays up to 10 seconds.
> > 
> > So this patch is unblocked. To solve delayed data initialization from 
> > SSSD in NSS responder we might simply increase number of tries to 10 
> > in case SSSD is in use.
> > 
> > 
> 
> That sounds good. I made few tests of this patch and I still see a
> problem here. What if, for any reason, sssd.conf is not present on the
> machine? IPA client installation then crashes:
> 
> # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com
> DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> 
> Discovery was successful!
> Hostname: vm-027.idm.lab.bos.redhat.com
> Realm: IDM.LAB.BOS.REDHAT.COM
> DNS Domain: idm.lab.bos.redhat.com
> IPA Server: vm-139.idm.lab.bos.redhat.com
> BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> 
> 
> Continue to configure the system with these values? [no]: y
> User authorized to enroll computers: admin
> Password for admin at IDM.LAB.BOS.REDHAT.COM: 
> 
> Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
>   File "/usr/sbin/ipa-client-install", line 1144, in <module>
>     sys.exit(main())
>   File "/usr/sbin/ipa-client-install", line 1133, in main
>     rval = install(options, env, fstore, statestore)
>   File "/usr/sbin/ipa-client-install", line 977, in install
>     if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
>   File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf
>     sssdconfig.import_config()
>   File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config
>     fd = open(configfile, 'r')
> IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'


ipa-client-install should be trapping this error and calling
SSSDConfig.new_config() to create a blank configuration.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110913/7ddfca5d/attachment.sig>

More information about the Freeipa-devel mailing list