On 03/24/2014 03:27 PM, Jan Pazdziora wrote: > On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: >> On 03/24/2014 02:47 PM, Jan Pazdziora wrote: >>> On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: >>>> Hi, >>>> >>>> Makes ipa-client-install configure SSSD as the data provider >>>> for the sudo service by default. This behaviour can be disabled >>>> by using --no-sudo flag. >>>> >>>> https://fedorahosted.org/freeipa/ticket/3358 >>> Ack. >>> >>> Applied against ipa-client-3.0.0-37.el6.x86_64, tried without >>> --no-sudo and sudo was added to sssd.conf's services list and sudoeers >>> added to /etc/nsswitch.conf. >>> >>> Rerun with --uninstall and run again with the --no-sudo parameter, >>> those settings were not longer there. >>> >> Did you also do the functional test? > No. I do not want to get dragged into the discussion of having the > correct sssd and sudo and glibc versions and SELinux and stuff. The > ticket explicitly talk about setting configuration in config files, > which the patch does. > >> To ack and push this ticket, following >> scenario needs to work: > Consumption of those configuration changes is really different story, > isn't it? > >> 1) IPA clients enroll against IPA server without --no-sudo >> 2) IPA client user logs in, types "sudo -l", gets all allowed commands >> (prerequisite is of course to have sudo commands defined on the IPA server) >> 3) IPA client reboots, IPA client user logs in, types "sudo -l", gets all >> allowed commands >> >> For 2) to work, NIS domain name must be set, nsswitch and SSSD changes must >> be done >> >> For 3) to work, related systemd service preserving NIS domain name setting >> needs to be enabled > With the commit message only talking about configuring sssd, I assume > the NIS domain name mentioned in the ticket will be done by some other > patch. > > To me, the patch does what is advertised in the commit message, and is > in line with what the ticket asks to be done. >
Attached are rebased versions of the patches 113 and 167 (which was marked as 157 in the thread previously by mistake). There is a slight behaviour change in 167, if there is no sudoers line in nsswitch.conf, we add both files and sss as sudoers sources. I also developed CI test that covers the functionality of the IPA - sudo integration feature, which is attached. Please note that the last three tests are expected to fail until: https://fedorahosted.org/freeipa/ticket/4324 is fixed. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
>From 0803c29840a79463fa838478bab65a061d779163 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tomasba...@gmail.com> Date: Thu, 21 Nov 2013 13:09:28 +0100 Subject: [PATCH] ipa-client-install: Configure sudo to use SSSD as data source Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 --- ipa-client/ipa-install/ipa-client-install | 58 ++++++++++++++++++++++++++++++- ipa-client/man/ipa-client-install.1 | 3 ++ 2 files changed, 60 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 5fdd51520ba667f240239077a80e328877c99cd7..99fed2ab08195c7dfe4fb876ce225bac7868eb3b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -137,6 +137,9 @@ def parse_options(): help="do not configure OpenSSH client") basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false", help="do not configure OpenSSH server") + basic_group.add_option("--no-sudo", dest="conf_sudo", default=True, + action="store_false", + help="do not configure SSSD as data source for sudo") basic_group.add_option("--no-dns-sshfp", dest="create_sshfp", default=True, action="store_false", help="do not automatically create DNS SSHFP records") basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true", @@ -1141,6 +1144,59 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie sssdconfig.activate_service('ssh') + if options.conf_sudo: + # Activate the service in the SSSD config + try: + sssdconfig.new_service('sudo') + except SSSDConfig.ServiceAlreadyExists: + pass + except SSSDConfig.ServiceNotRecognizedError: + root_logger.error("Unable to activate the SUDO service in " + "SSSD config.") + + sssdconfig.activate_service('sudo') + + # Backup the nsswitch.conf, we're going to edit it now + NSSWITCH_CONF = '/etc/nsswitch.conf' + fstore.backup_file(NSSWITCH_CONF) + + conf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") + conf.setOptionAssignment(':') + + # Determine if nsswitch already contains files for sudoers or not + sudoers_value = ' sss' + + with open('/etc/nsswitch.conf', 'r') as f: + opts = conf.parse(f) + option_result = conf.findOpts(opts, 'option', 'sudoers')[1] + + if not option_result: + # If there is no sudoers: directive in the nsswitch.conf + # present, set both files and sss, since sudo treats + # sudoers: files as default + sudoers_value = ' files sss' + elif 'sss' not in option_result['value']: + # If some explicit value is set in nsswitch.conf, we just append + # sss if not already there + sudoers_value = option_result['value'] + ' sss' + else: + # If sss is already set, do nothing + sudoers_value = option_result['value'] + + # Set sss as data source for sudoers + opts = [{'name':'sudoers', + 'type':'option', + 'action':'set', + 'value': sudoers_value + }, + {'name':'empty', + 'type':'empty' + }] + + conf.changeConf(NSSWITCH_CONF, opts) + root_logger.info("Configured %s" % NSSWITCH_CONF) + + domain.add_provider('ipa', 'id') #add discovery domain if client domain different from server domain @@ -2265,7 +2321,7 @@ def install(options, env, fstore, statestore): # skip this step when run by ipa-server-install as it always configures # hostname if different from system hostname ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname) - + if not options.on_master: # Attempt to sync time with IPA server. # We assume that NTP servers are discoverable through SRV records in the DNS diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 9d1ab75e4b20f3422e0e8dbd7728fcc281972362..42db4e4c327bee7f2f5512a53dc3c445c4ed5e29 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -140,6 +140,9 @@ Do not configure OpenSSH client. \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP +\fB\-\-no\-sudo\fR +Do not configure SSSD as a data source for sudo. +.TP \fB\-\-no\-dns\-sshfp\fR Do not automatically create DNS SSHFP records. .TP -- 1.8.5.3
>From 50b3271d8f05e3d1e55ae4b80a41949881fc72d2 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Tue, 8 Apr 2014 13:14:13 +0200 Subject: [PATCH] ipatests: Add Sudo integration test --- ipatests/test_integration/tasks.py | 2 +- ipatests/test_integration/test_sudo.py | 335 +++++++++++++++++++++++++++++++++ 2 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 ipatests/test_integration/test_sudo.py diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 2334e254e7ddd00beeb83d8a317b5db12c06a29e..a6c6f30d4c459de979f20aebd28276623ba2f700 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -430,7 +430,7 @@ def clear_sssd_cache(host): host.run_command(['/sbin/service', 'sssd', 'start']) # To avoid false negatives due to SSSD not responding yet - time.sleep(2) + time.sleep(10) def sync_time(host, server): diff --git a/ipatests/test_integration/test_sudo.py b/ipatests/test_integration/test_sudo.py new file mode 100644 index 0000000000000000000000000000000000000000..42c9b6b6a160e0449e734f176ff437c6e8f486fc --- /dev/null +++ b/ipatests/test_integration/test_sudo.py @@ -0,0 +1,335 @@ +# Authors: +# Tomas Babej <tba...@redhat.com> +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import clear_sssd_cache + + +class TestSudo(IntegrationTest): + """ + Test Sudo + http://www.freeipa.org/page/V4/Sudo_Integration#Test_Plan + """ + num_clients = 1 + topology = 'line' + + @classmethod + def setup_class(cls): + super(TestSudo, cls).setup_class() + + cls.client = cls.clients[0] + + for i in range(1, 3): + # Add 1. and 2. testing user + cls.master.run_command(['ipa', 'user-add', + 'testuser%d' % i, + '--first', 'Test', + '--last', 'User%d' % i]) + + # Add 1. and 2. testing groups + cls.master.run_command(['ipa', 'group-add', + 'testgroup%d' % i, + '--desc', '"%d. testing group"' % i]) + + # Add respective members to each group + cls.master.run_command(['ipa', 'group-add-member', + 'testgroup%d' % i, + '--users', 'testuser%d' % i]) + + # Add hostgroup containing the client + cls.master.run_command(['ipa', 'hostgroup-add', + 'testhostgroup', + '--desc', '"Contains client"']) + + # Add the client to the host group + cls.master.run_command(['ipa', 'hostgroup-add-member', + 'testhostgroup', + '--hosts', cls.client.hostname]) + + def list_sudo_commands(self, user, raiseonerr=False, verbose=False): + clear_sssd_cache(self.client) + list_flag = '-ll' if verbose else '-l' + return self.client.run_command('su -c "sudo %s" %s' % (list_flag, user), + raiseonerr=raiseonerr) + + def reset_rule_categories(self): + # Reset testrule to allow everything + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--usercat=all', + '--hostcat=all', + '--cmdcat=all', + '--runasusercat=all', + '--runasgroupcat=all'], raiseonerr=False) + + def test_nisdomainname(self): + result = self.client.run_command('nisdomainname') + assert self.client.domain.name in result.stdout_text + + def test_add_sudo_commands(self): + # Group: Readers + self.master.run_command(['ipa', 'sudocmd-add', '/usr/bin/cat']) + self.master.run_command(['ipa', 'sudocmd-add', '/usr/bin/tail']) + + # No group + self.master.run_command(['ipa', 'sudocmd-add', '/usr/bin/yum']) + + def test_add_sudo_command_groups(self): + self.master.run_command(['ipa', 'sudocmdgroup-add', 'readers', + '--desc', '"Applications that read"']) + + self.master.run_command(['ipa', 'sudocmdgroup-add-member', 'readers', + '--sudocmds', '/usr/bin/cat']) + + self.master.run_command(['ipa', 'sudocmdgroup-add-member', 'readers', + '--sudocmds', '/usr/bin/tail']) + + def test_create_allow_all_rule(self): + # Create rule that allows everything + self.master.run_command(['ipa', 'sudorule-add', + 'testrule', + '--usercat=all', + '--hostcat=all', + '--cmdcat=all', + '--runasusercat=all', + '--runasgroupcat=all']) + + # Add !authenticate option + self.master.run_command(['ipa', 'sudorule-add-option', + 'testrule', + '--sudooption', "!authenticate"]) + + def test_add_sudo_rule(self): + result1 = self.list_sudo_commands("testuser1") + assert "(ALL) NOPASSWD: ALL" in result1.stdout_text + + result2 = self.list_sudo_commands("testuser2") + assert "(ALL) NOPASSWD: ALL" in result2.stdout_text + + def test_sudo_rule_restricted_to_one_user_setup(self): + # Configure the rule to not apply to anybody + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--usercat=']) + + # Add the testuser1 to the rule + self.master.run_command(['ipa', 'sudorule-add-user', + 'testrule', + '--users', 'testuser1']) + + def test_sudo_rule_restricted_to_one_user(self): + result1 = self.list_sudo_commands("testuser1") + assert "(ALL) NOPASSWD: ALL" in result1.stdout_text + + result2 = self.list_sudo_commands("testuser2", raiseonerr=False) + assert result2.returncode != 0 + + def test_sudo_rule_restricted_to_one_user_teardown(self): + # Remove the testuser1 from the rule + self.master.run_command(['ipa', 'sudorule-remove-user', + 'testrule', + '--users', 'testuser1']) + + def test_sudo_rule_restricted_to_one_group_setup(self): + # Add the testgroup2 to the rule + self.master.run_command(['ipa', 'sudorule-add-user', + 'testrule', + '--groups', 'testgroup2']) + + def test_sudo_rule_restricted_to_one_group(self): + result1 = self.list_sudo_commands("testuser1", raiseonerr=False) + assert result1.returncode != 0 + + result2 = self.list_sudo_commands("testuser2") + assert "(ALL) NOPASSWD: ALL" in result2.stdout_text + + def test_sudo_rule_restricted_to_one_group_teardown(self): + # Remove the testgroup2 from the rule + self.master.run_command(['ipa', 'sudorule-remove-user', + 'testrule', + '--groups', 'testgroup2']) + + def test_sudo_rule_restricted_to_one_host_negative_setup(self): + # Reset testrule configuration + self.reset_rule_categories() + + # Configure the rule to not apply anywhere + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--hostcat=']) + + # Add the master to the rule + self.master.run_command(['ipa', 'sudorule-add-host', + 'testrule', + '--hosts', self.master.hostname]) + + def test_sudo_rule_restricted_to_one_host_negative(self): + result1 = self.list_sudo_commands("testuser1", raiseonerr=False) + assert result1.returncode != 0 + + def test_sudo_rule_restricted_to_one_host_negative_teardown(self): + # Remove the master from the rule + self.master.run_command(['ipa', 'sudorule-remove-host', + 'testrule', + '--hosts', self.master.hostname]) + + def test_sudo_rule_restricted_to_one_host_setup(self): + # Configure the rulle to not apply anywhere + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--hostcat='], raiseonerr=False) + + # Add the master to the rule + self.master.run_command(['ipa', 'sudorule-add-host', + 'testrule', + '--hosts', self.client.hostname]) + + def test_sudo_rule_restricted_to_one_host(self): + result1 = self.list_sudo_commands("testuser1", raiseonerr=False) + assert "(ALL) NOPASSWD: ALL" in result1.stdout_text + + def test_sudo_rule_restricted_to_one_host_teardown(self): + # Remove the master from the rule + self.master.run_command(['ipa', 'sudorule-remove-host', + 'testrule', + '--hosts', self.client.hostname]) + + def test_sudo_rule_restricted_to_one_hostgroup_setup(self): + # Add the testhostgroup to the rule + self.master.run_command(['ipa', 'sudorule-add-host', + 'testrule', + '--hostgroups', 'testhostgroup']) + + def test_sudo_rule_restricted_to_one_hostgroup(self): + result1 = self.list_sudo_commands("testuser1") + assert "(ALL) NOPASSWD: ALL" in result1.stdout_text + + def test_sudo_rule_restricted_to_one_hostgroup_teardown(self): + # Remove the testhostgroup from the rule + self.master.run_command(['ipa', 'sudorule-remove-host', + 'testrule', + '--hostgroups', 'testhostgroup']) + + def test_sudo_rule_restricted_to_one_command_setup(self): + # Reset testrule configuration + self.reset_rule_categories() + + # Configure the rule to not allow any command + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--cmdcat=']) + + # Add the yum command to the rule + self.master.run_command(['ipa', 'sudorule-add-allow-command', + 'testrule', + '--sudocmds', '/usr/bin/yum']) + + def test_sudo_rule_restricted_to_one_command(self): + result1 = self.list_sudo_commands("testuser1") + assert "(ALL) NOPASSWD: /usr/bin/yum" in result1.stdout_text + + def test_sudo_rule_restricted_to_command_and_command_group_setup(self): + # Add the readers command group to the rule + self.master.run_command(['ipa', 'sudorule-add-allow-command', + 'testrule', + '--sudocmdgroups', 'readers']) + + def test_sudo_rule_restricted_to_command_and_command_group(self): + result1 = self.list_sudo_commands("testuser1") + assert "(ALL) NOPASSWD:" in result1.stdout_text + assert "/usr/bin/yum" in result1.stdout_text + assert "/usr/bin/tail" in result1.stdout_text + assert "/usr/bin/cat" in result1.stdout_text + + def test_sudo_rule_restricted_to_command_and_command_group_teardown(self): + # Remove the yum command from the rule + self.master.run_command(['ipa', 'sudorule-remove-allow-command', + 'testrule', + '--sudocmds', '/usr/bin/yum']) + + # Remove the readers command group from the rule + self.master.run_command(['ipa', 'sudorule-remove-allow-command', + 'testrule', + '--sudocmdgroups', 'readers']) + + def test_sudo_rule_restricted_to_running_as_single_user_setup(self): + # Reset testrule configuration + self.reset_rule_categories() + + # Configure the rule to not allow running commands as anybody + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--runasusercat=']) + + self.master.run_command(['ipa', 'sudorule-mod', + 'testrule', + '--runasgroupcat=']) + + # Allow running commands as testuser2 + self.master.run_command(['ipa', 'sudorule-add-runasuser', + 'testrule', + '--users', 'testuser2']) + + def test_sudo_rule_restricted_to_running_as_single_user(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers: testuser2" in result1.stdout_text + assert "RunAsGroups:" not in result1.stdout_text + + def test_sudo_rule_restricted_to_running_as_single_user_teardown(self): + # Remove permission to run commands as testuser2 + self.master.run_command(['ipa', 'sudorule-remove-runasuser', + 'testrule', + '--users', 'testuser2']) + + def test_sudo_rule_restricted_to_running_as_users_from_group_setup(self): + # Allow running commands as users from testgroup2 + self.master.run_command(['ipa', 'sudorule-add-runasuser', + 'testrule', + '--groups', 'testgroup2']) + + def test_sudo_rule_restricted_to_running_as_users_from_group(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers: testuser2" in result1.stdout_text + assert "RunAsGroups:" not in result1.stdout_text + + def test_sudo_rule_restricted_to_running_as_users_from_group_teardown(self): + # Remove permission to run commands as testuser2 + self.master.run_command(['ipa', 'sudorule-remove-runasuser', + 'testrule', + '--groups', 'testgroup2']) + + def test_sudo_rule_restricted_to_running_as_single_group_setup(self): + # Allow running commands as testgroup2 + self.master.run_command(['ipa', 'sudorule-add-runasgroup', + 'testrule', + '--groups', 'testgroup2']) + + def test_sudo_rule_restricted_to_running_as_single_group(self): + result1 = self.list_sudo_commands("testuser1", verbose=True) + assert "RunAsUsers:" not in result1.stdout_text + assert "RunAsGroups: testgroup2" in result1.stdout_text + + def test_sudo_rule_restricted_to_running_as_single_group_teardown(self): + # Remove permission to run commands as testgroup2 + self.master.run_command(['ipa', 'sudorule-remove-runasgroup', + 'testrule', + '--groups', 'testgroup2']) + + # Reset testrule configuration + self.reset_rule_categories() -- 1.8.5.3
>From 3b66934f1dd3167dc56ffa8b4a750a0912a89642 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Wed, 25 Sep 2013 13:45:45 +0200 Subject: [PATCH] ipa-client: Set NIS domain name in the installer Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 --- ipa-client/ipa-install/ipa-client-install | 65 +++++++++++++++++++++++++++++++ ipa-client/man/ipa-client-install.1 | 6 +++ ipapython/platform/base/__init__.py | 3 +- ipapython/platform/fedora16/service.py | 2 + 4 files changed, 75 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 7cc0c33973fb9bd2113b33da7cb1d450b66a49dd..03679c10d09c64a284e3950a1808887ec52ae5ea 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -126,6 +126,11 @@ def parse_options(): basic_group.add_option("", "--force-ntpd", dest="force_ntpd", action="store_true", default=False, help="Stop and disable any time&date synchronization services besides ntpd") + basic_group.add_option("--nisdomain", dest="nisdomain", + help="NIS domain name") + basic_group.add_option("--no-nisdomain", action="store_true", default=False, + help="do not configure NIS domain name", + dest="no_nisdomain") basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true", help="configure OpenSSH client to trust DNS SSHFP records") basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false", @@ -195,6 +200,9 @@ def parse_options(): if options.firefox_dir and not options.configure_firefox: parser.error("--firefox-dir cannot be used without --configure-firefox option") + if options.no_nisdomain and options.nisdomain: + parser.error("--no-nisdomain cannot be used together with --nisdomain") + return safe_opts, options def logging_setup(options): @@ -595,6 +603,7 @@ def uninstall(options, env): fstore.restore_all_files() ipautil.restore_hostname(statestore) + unconfigure_nisdomain() nscd = ipaservices.knownservices.nscd nslcd = ipaservices.knownservices.nslcd @@ -1351,6 +1360,59 @@ def configure_automount(options): root_logger.info(stdout) +def configure_nisdomain(options, domain): + domain = options.nisdomain or domain + root_logger.info('Configuring %s as NIS domain.' % domain) + + nis_domain_name = '' + + # First backup the old NIS domain name + if os.path.exists('/usr/bin/nisdomainname'): + try: + nis_domain_name, _, _ = ipautil.run(['/usr/bin/nisdomainname']) + except CalledProcessError, e: + pass + + statestore.backup_state('network', 'nisdomain', nis_domain_name) + + # Backup the state of the domainname service + statestore.backup_state("domainname", "enabled", + ipaservices.knownservices.domainname.is_enabled()) + + # Set the new NIS domain name + set_nisdomain(domain) + + # Enable and start the domainname service + ipaservices.knownservices.domainname.enable() + ipaservices.knownservices.domainname.start() + + +def unconfigure_nisdomain(): + # Set the nisdomain permanent and current nisdomain configuration as it was + if statestore.has_state('network'): + old_nisdomain = statestore.restore_state('network','nisdomain') or '' + + if old_nisdomain: + root_logger.info('Restoring %s as NIS domain.' % old_nisdomain) + else: + root_logger.info('Unconfiguring the NIS domain.') + + set_nisdomain(old_nisdomain) + + # Restore the configuration of the domainname service + enabled = statestore.restore_state('domainname', 'enabled') + if not enabled: + ipaservices.knownservices.domainname.disable() + + +def set_nisdomain(nisdomain): + # Let authconfig setup the permanent configuration + auth_config = ipaservices.authconfig() + auth_config.add_parameter("nisdomain", nisdomain) + auth_config.add_option("update") + auth_config.execute() + + def resolve_ipaddress(server): """ Connect to the server's LDAP port in order to determine what ip address this machine uses as "public" ip (relative to the server). @@ -2693,6 +2755,9 @@ def install(options, env, fstore, statestore): if options.configure_firefox: configure_firefox(options, statestore, cli_domain) + if not options.no_nisdomain: + configure_nisdomain(options=options, domain=cli_domain) + root_logger.info('Client configuration complete.') return 0 diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 51a276202ac28b630d928e70dd658fad929b8d2b..a7acf58e532d4d39abd6db0bd5c38a74a708ee3e 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -122,6 +122,12 @@ Do not configure or enable NTP. \fB\-\-force\-ntpd\fR Stop and disable any time&date synchronization services besides ntpd. .TP +\fB\-\-nisdomain\fR=\fINIS_DOMAIN\fR +Set the NIS domain name as specified. By default, this is set to the IPA domain name. +.TP +\fB\-\-no\-nisdomain\fR +Do not configure NIS domain name. +.TP \fB\-\-ssh\-trust\-dns\fR Configure OpenSSH client to trust DNS SSHFP records. .TP diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py index c1b076b2cb0c4c365447377725e55966650ce116..f988c7127b0395f962faeb3fd16b853c4df62016 100644 --- a/ipapython/platform/base/__init__.py +++ b/ipapython/platform/base/__init__.py @@ -27,7 +27,8 @@ import os wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', - 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd'] + 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd', + 'domainname'] # System may support more time&date services. FreeIPA supports ntpd only, other # services will be disabled during IPA installation diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py index edf2d7ff824399171f59a72a9b8fb49b1c4b08df..41c241ae5c31df56544b5b2bebd71c5ef109dd6e 100644 --- a/ipapython/platform/fedora16/service.py +++ b/ipapython/platform/fedora16/service.py @@ -54,6 +54,8 @@ system_units['pki_cad'] = system_units['pki-cad'] system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service' system_units['pki_tomcatd'] = system_units['pki-tomcatd'] system_units['ipa-otpd'] = 'ipa-otpd.socket' +# Service that sets domainname on Fedora is called fedora-domainname.service +system_units['domainname'] = 'fedora-domainname.service' class Fedora16Service(systemd.SystemdService): def __init__(self, service_name): -- 1.8.5.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel