On 02/23/2018 01:25 PM, Alexander Bokovoy wrote: > On pe, 23 helmi 2018, Pavel Březina via FreeIPA-devel wrote: >> On 02/23/2018 12:57 PM, Martin Kosek wrote: >>> On 02/21/2018 10:25 AM, Pavel Březina via FreeIPA-devel wrote: >>>>> >>>>> >>>>> couple of scenarious here: >>>>> - install server >>>>> install it and configure with authselect. there is no --no-sssd >>>>> option >>>>> for the server installation >>>>> - upgrade server >>>>> bakup authselect configuration. apply authselect sssd profile >>>>> overwriting what was there before. >>>> >>>> Why do you call authselect during server update? Shouldn't the >>>> system be >>>> already configured? >>> >>> In FreeIPA server, we want to make sure that authselect profile is >>> activated, so that this FreeIPA server's PAM stack receives further >>> updates in case the authselect profile gets some fixes in. If it still >>> has the manual PAM configuration via old authconfig, it would not >>> receive such updates. Is that true? >> >> It is true. But the same applies currently with authconfig. So if >> authconfig is run again during server update than sure, it should be >> there. > We do not run authconfig on each server upgrade. An idea to re-write > configuration every upgrade sounds interesting but I don't think we are > close to get it properly implemented before we switch to Ansible > installer...
I think that here I was thinking more about one-off upgrade, as part of authconfig->authselect migration. My assumption was that authselect would then take care of updating the PAM configuration if template changes. Pavel, did we work out the upgrade story of authselect, for the cases when we need to fix something in SSSD/winbind template? Or would it be admin's task to refresh the PAM stack when the template changes? _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
