[Freeipa-devel] [PATCH] 0012 Modify existing SSSD configuration instead of dropping it

Stephen Gallagher sgallagh at redhat.com
Tue Sep 13 13:26:39 UTC 2011


On Tue, 2011-09-13 at 16:22 +0300, Alexander Bokovoy wrote:
> On Tue, 13 Sep 2011, Martin Kosek wrote:
> > > So this patch is unblocked. To solve delayed data initialization from 
> > > SSSD in NSS responder we might simply increase number of tries to 10 
> > > in case SSSD is in use.
> > That sounds good. I made few tests of this patch and I still see a
> > problem here. What if, for any reason, sssd.conf is not present on the
> > machine? IPA client installation then crashes:
> > 
> > # ipa-client-install --server vm-139.idm.lab.bos.redhat.com --domain idm.lab.bos.redhat.com
> > DNS domain 'idm.lab.bos.redhat.com' is not configured for automatic KDC address lookup.
> > KDC address will be set to fixed value.
> > 
> > Discovery was successful!
> > Hostname: vm-027.idm.lab.bos.redhat.com
> > Realm: IDM.LAB.BOS.REDHAT.COM
> > DNS Domain: idm.lab.bos.redhat.com
> > IPA Server: vm-139.idm.lab.bos.redhat.com
> > BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
> > 
> > 
> > Continue to configure the system with these values? [no]: y
> > User authorized to enroll computers: admin
> > Password for admin at IDM.LAB.BOS.REDHAT.COM: 
> > 
> > Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
> > Created /etc/ipa/default.conf
> > Traceback (most recent call last):
> >   File "/usr/sbin/ipa-client-install", line 1144, in <module>
> >     sys.exit(main())
> >   File "/usr/sbin/ipa-client-install", line 1133, in main
> >     rval = install(options, env, fstore, statestore)
> >   File "/usr/sbin/ipa-client-install", line 977, in install
> >     if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
> >   File "/usr/sbin/ipa-client-install", line 600, in configure_sssd_conf
> >     sssdconfig.import_config()
> >   File "/usr/lib/python2.7/site-packages/SSSDConfig.py", line 1207, in import_config
> >     fd = open(configfile, 'r')
> > IOError: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
> Right, we need to fallback to new sssd.conf in case of any exception, 
> not only for ParsingError.


Actually, that's not necessarily true. Do we want to fall back on
permission error, for instance? This could result in clobbering an
existing file (if for example the existing sssd.conf's SELinux context
is wrong, preventing reading, but when we create a new one and save it
in place later we have the right context and it replaces the old one).

Admittedly, it's a contrived example, but where contrived examples
exist, so can real issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110913/46defb44/attachment.sig>


More information about the Freeipa-devel mailing list