Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

Sun, 05 Jun 2016 00:49:16 -0700 


On 02.06.2016 19:59, Martin Basti wrote:




On 31.05.2016 19:19, Robbie Harwood wrote:

Alexander Bokovoy<aboko...@redhat.com>  writes:


On Sat, 28 May 2016, Robbie Harwood wrote:

Alexander Bokovoy<aboko...@redhat.com>  writes:

On Fri, 27 May 2016, Robbie Harwood wrote:

Stanislav Laznicka<slazn...@redhat.com>  writes:

From: Stanislav Laznicka<slazn...@redhat.com>

The include of /etc/krb5.conf.d/ is required for crypto-policies
to work properly

https://fedorahosted.org/freeipa/ticket/5912

Thank you for working on this.  Is the intent on the part of
FreeIPA to keep a separate, freeipa-speicifc directory?  And if so,
can I suggest that we not do that?

SSSD cannot write to /etc and I don't think we have to change it.

Can you elaborate on this?  Why can't sssd write the stuff it puts in
/var/lib into /etc, or symlink it?

Writing to /etc is considered a privilege of a system administrator. A
runtime override is typically done outside it, in /run like systemd
allows for its configuration for volatile setups and in /var/lib
for non-volatile ones. The latter has long been a state of affairs in
Linux.

Currently SSSD runs under root but it is already made possible to run as
non-root user and we intend to switch to that mode in future releases.

I guess I don't see a meaningful difference here.  We're still writing
to /etc when we modify krb5.conf.

My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.

Anyway, I've said my piece and won't derail this further.  If you want
to merge, this is a cosmetic issue and I can live with it.

[0]:http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION



ACK, this patch works as expected. If nobody is against it, I will 
push it (tomorrow).


Martin^2




Pushed to master: 2026677635c6d4b086670cb9d8f3570bd1b95c27


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to