Freeze exception for sssd?
When the freeze was announced, I was working on an updated sssd
package with code to automatically detect the configuration settings
during installation, to have this included in Squeeze. The freeze
caught us a bit by surprise, but this new autodetection code is now
working, and it would be very good to have it included in Squeeze.
It also extend the init.d script to load settings from /etc/default/
and some other minor bug fixes. The config generation script is
tested and work for DNS domains uio.no, mit.edu and Debian Edu. If
the automatic configuration fail, it fall back to the old static
configuration currently used by the package in testing.
These are the changelog entries since the version currently in
testing:
sssd (1.2.1-3) unstable; urgency=low
[ Petter Reinholdtsen ]
* Look for /etc/default/sssd, not /etc/defaults/sssd in init.d
script (Closes: #588252).
* Make sssd.conf generation more robust, and make sure missing SRV
records are ignored and not handled as host names.
* Add code in generate-config to look up Kerberos realm using
_kerberos TXT record in DNS if it exist.
* Recommend bind9-host used by generate-config for SRV and TXT
lookups.
[ Morten Werner Forsbring ]
* Check if /etc/default/sssd is a file and executable, not a directory,
before sourcing in init-script. Thanks to lintian.
-- Morten Werner Forsbring <werner@debian.org> Thu, 12 Aug 2010 16:31:14 +0200
sssd (1.2.1-2) unstable; urgency=low
* Make sure init.d script sources /etc/default/sssd (Closes: #588252).
* Drop /etc/default/sssd from package, to avoid conffile question
from dpkg during upgrades.
* Make sure to only remove obsolete sssd conffiles on upgrades, not
on first time installation.
* Add new script generate-config and call it from the sssd postinst
during first time installation to try to generate the sssd.conf
file dynamically for LDAP and Kerberos using DNS entries, and fall
back to the static example configuration if this fail.
* Let sssd suggest libnss-sss and libpam-sss, to make those
installing sssd aware of the other packages.
* Add netgroup to nsswitch.conf entries added at first time
installation, to make sure those installing now get working
netgroups when sssd get netgroup support
* Let sssd recommend ldap-utils as ldapsearch is used for generating
the configuration.
-- Petter Reinholdtsen <pere@debian.org> Fri, 06 Aug 2010 23:44:26 +0200
Here is the complete diff, if you want to look at the details.
diff --git a/debian/changelog b/debian/changelog
index 2e78dde..0d2b5dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,42 @@
+sssd (1.2.1-3) unstable; urgency=low
+
+ [ Petter Reinholdtsen ]
+ * Look for /etc/default/sssd, not /etc/defaults/sssd in init.d
+ script (Closes: #588252).
+ * Make sssd.conf generation more robust, and make sure missing SRV
+ records are ignored and not handled as host names.
+ * Add code in generate-config to look up Kerberos realm using
+ _kerberos TXT record in DNS if it exist.
+ * Recommend bind9-host used by generate-config for SRV and TXT
+ lookups.
+
+ [ Morten Werner Forsbring ]
+ * Check if /etc/default/sssd is a file and executable, not a directory,
+ before sourcing in init-script. Thanks to lintian.
+
+ -- Morten Werner Forsbring <werner@debian.org> Thu, 12 Aug 2010 16:31:14 +0200
+
+sssd (1.2.1-2) unstable; urgency=low
+
+ * Make sure init.d script sources /etc/default/sssd (Closes: #588252).
+ * Drop /etc/default/sssd from package, to avoid conffile question
+ from dpkg during upgrades.
+ * Make sure to only remove obsolete sssd conffiles on upgrades, not
+ on first time installation.
+ * Add new script generate-config and call it from the sssd postinst
+ during first time installation to try to generate the sssd.conf
+ file dynamically for LDAP and Kerberos using DNS entries, and fall
+ back to the static example configuration if this fail.
+ * Let sssd suggest libnss-sss and libpam-sss, to make those
+ installing sssd aware of the other packages.
+ * Add netgroup to nsswitch.conf entries added at first time
+ installation, to make sure those installing now get working
+ netgroups when sssd get netgroup support
+ * Let sssd recommend ldap-utils as ldapsearch is used for generating
+ the configuration.
+
+ -- Petter Reinholdtsen <pere@debian.org> Fri, 06 Aug 2010 23:44:26 +0200
+
sssd (1.2.1-1) unstable; urgency=low
[ Petter Reinholdtsen ]
@@ -12,7 +51,7 @@ sssd (1.2.1-1) unstable; urgency=low
[ Morten Werner Forsbring ]
* New upstream release.
-
+
-- Morten Werner Forsbring <werner@debian.org> Thu, 24 Jun 2010 14:16:30 +0200
sssd (1.2.0-1) unstable; urgency=low
@@ -85,13 +124,13 @@ sssd (1.0.2-0ubuntu1) lucid; urgency=low
- python API for managing sssd daemon configuration and
native SSSD users.
- support for asynchronous cache refreshes.
- - support password changing in LDAP and Kerberos providers.
+ - support password changing in LDAP and Kerberos providers.
- support for server failover.
* debian/control:
- update tdb build dependency to use libtdb-dev.
- add libselinux1-dev and libsasl2-dev build dependencies.
* debian/sssd.upstart: replace init script with an upstart job.
- * Turn sssd.conf into a configuration file.
+ * Turn sssd.conf into a configuration file.
* Create sssd log directory.
-- Mathias Gug <mathiaz@ubuntu.com> Tue, 19 Jan 2010 15:17:13 -0500
@@ -102,7 +141,7 @@ sssd (0.5.0-0ubuntu2) karmic; urgency=low
+ Fix linitian errors and warnings (LP: #425697):
sssd ships an nss library - these are false-positives.
* debian/fix-dbus-watch.dpatch: Update dbus-patch to final
- upstream version.
+ upstream version.
* debian/fix-proxy-segfault.dpatch: Fix proxy enumeration.
-- Mathias Gug <mathiaz@ubuntu.com> Wed, 09 Sep 2009 20:21:04 -0400
diff --git a/debian/control b/debian/control
index 9d3102c..dee9113 100644
--- a/debian/control
+++ b/debian/control
@@ -21,6 +21,8 @@ Homepage: https://fedorahosted.org/sssd/
Package: sssd
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-sss
+Recommends: ldap-utils, bind9-host
+Suggests: libnss-sss, libpam-sss
Description: System Security Services Daemon
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
diff --git a/debian/generate-config b/debian/generate-config
new file mode 100755
index 0000000..4920f20
--- /dev/null
+++ b/debian/generate-config
@@ -0,0 +1,136 @@
+#!/bin/sh
+
+# Generate sssd.conf setup dynamically based on autodetectet LDAP
+# and Kerberos server.
+
+set -e
+
+# See if we can find an LDAP server. Prefer ldap.domain, but also
+# accept SRV records if no ldap.domain server is found.
+lookup_ldap_uri() {
+ domain="$1"
+ if ping -c2 ldap.$domain > /dev/null 2>&1; then
+ echo ldap://ldap.$domain
+ else
+ host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
+ if [ "$host" ] ; then
+ echo ldap://$host | sed 's/\.$//'
+ fi
+ fi
+}
+
+lookup_ldap_base() {
+ ldapuri="$1"
+ defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')"
+ if [ -z "$defaultcontext" ] ; then
+ # If there are several contexts, pick the first one with
+ # posixAccount or posixGroup objects in it.
+ for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \
+ -s base namingContexts 2>/dev/null | \
+ awk '/^namingContexts: / { print $2}') ; do
+ if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
+ '(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
+ egrep -q '^dn:|^Administrative limit exceeded' ; then
+ echo $context
+ return
+ fi
+ done
+ fi
+ echo $defaultcontext
+}
+
+lookup_kerberos_server() {
+ domain="$1"
+ if ping -c2 kerberos.$domain > /dev/null 2>&1; then
+ echo kerberos.$domain
+ else
+ host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1)
+ if [ "$host" ] ; then
+ echo $host | sed 's/\.$//'
+ fi
+ fi
+}
+
+lookup_kerberos_realm() {
+ domain="$1"
+ realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"')
+ if [ -z "$realm" ] ; then
+ realm=$(echo $domain | tr a-z A-Z)
+ fi
+ echo $realm
+}
+
+
+generate_config() {
+ if [ "$1" ] ; then
+ domain=$1
+ else
+ domain="$(hostname -d)"
+ fi
+ kerberosrealm=$(lookup_kerberos_realm $domain)
+ ldapuri=$(lookup_ldap_uri "$domain")
+ if [ -z "$ldapuri" ]; then
+ # autodetection failed
+ return
+ fi
+
+ ldapbase="$(lookup_ldap_base "$ldapuri")"
+ if [ -z "$ldapbase" ]; then
+ # autodetection failed
+ return
+ fi
+ kerberosserver=$(lookup_kerberos_server "$domain")
+
+cat <<EOF
+# SSSD configuration generated using $0
+[sssd]
+config_file_version = 2
+reconnection_retries = 3
+sbus_timeout = 30
+services = nss, pam
+domains = $domain
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+EOF
+if [ "$kerberosserver" ] ; then
+ auth="krb5"
+ chpass="krb5"
+else
+ auth="ldap"
+ chpass="ldap";
+fi
+
+cat <<EOF
+
+[domain/$domain]
+; Using enumerate = true leads to high load and slow response
+enumerate = false
+cache_credentials = true
+
+id_provider = ldap
+auth_provider = $auth
+chpass_provider = $chpass
+
+ldap_uri = $ldapuri
+ldap_search_base = $ldapbase
+ldap_tls_reqcert = demand
+ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
+EOF
+
+if [ "$kerberosserver" ] ; then
+ cat <<EOF
+
+krb5_kdcip = $kerberosserver
+krb5_realm = $kerberosrealm
+krb5_changepw_principle = kadmin/changepw
+krb5_auth_timeout = 15
+EOF
+fi
+}
+generate_config "$@"
diff --git a/debian/libnss-sss.postinst b/debian/libnss-sss.postinst
index e63de92..8163f57 100755
--- a/debian/libnss-sss.postinst
+++ b/debian/libnss-sss.postinst
@@ -9,10 +9,10 @@ log() {
echo "$*"
}
-# try to insert sss entries to the passwd, group and shadow lines in
-# /etc/nsswitch.conf to automatically enable libnss-sss support; do
-# not change the configuration if the lines already references some
-# sss lookups
+# try to insert sss entries to the passwd, group, shadow and netgroup
+# lines in /etc/nsswitch.conf to automatically enable libnss-sss
+# support; do not change the configuration if the lines already
+# references some sss lookups
insert_nss_entry() {
log "Checking NSS setup..."
# abort if /etc/nsswitch.conf does not exist
@@ -33,7 +33,7 @@ insert_nss_entry() {
push @bits, "sss";
return join " ",@bits;
}
- s/^(passwd:\s+|group:\s+|shadow:\s+)(.*)/$1.insert($2)/e;
+ s/^(passwd:\s+|group:\s+|shadow:\s+|netgroup:\s+)(.*)/$1.insert($2)/e;
' /etc/nsswitch.conf
}
diff --git a/debian/libnss-sss.postrm b/debian/libnss-sss.postrm
index 13d985c..304827f 100755
--- a/debian/libnss-sss.postrm
+++ b/debian/libnss-sss.postrm
@@ -27,7 +27,7 @@ remove_nss_entry() {
}
return $s;
}
- s/^(passwd:|group:|shadow:)(.*)/$1.remove($2)/e;
+ s/^(passwd:|group:|shadow:|netgroup:)(.*)/$1.remove($2)/e;
' /etc/nsswitch.conf
}
diff --git a/debian/rules b/debian/rules
index 0927aae..c49abc4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -25,6 +25,7 @@ install/sssd::
mkdir -p $(CURDIR)/debian/sssd$(APIDOCDIR)/sssd.api.d/
install -D -m640 $(CURDIR)/src/config/etc/sssd.api.conf $(CURDIR)/debian/sssd$(APIDOCDIR)/sssd.api.conf
install -m640 $(CURDIR)/src/config/etc/sssd.api.d/* $(CURDIR)/debian/sssd/$(APIDOCDIR)/sssd.api.d/
+ install -D -m755 $(CURDIR)/debian/generate-config $(CURDIR)/debian/sssd/usr/lib/sssd/generate-config
binary-install/python-sss::
find $(CURDIR)/debian/python-sss/ -name '*.la' -exec rm '{}' ';'
diff --git a/debian/sssd.default b/debian/sssd.default
deleted file mode 100644
index d77ded7..0000000
--- a/debian/sssd.default
+++ /dev/null
@@ -1,10 +0,0 @@
-# Defaults for sssd initscript
-# sourced by /etc/init.d/sssd
-# installed at /etc/default/sssd by the maintainer scripts
-
-#
-# This is a POSIX shell fragment
-#
-
-# Additional options that are passed to the Daemon.
-DAEMON_OPTS=""
diff --git a/debian/sssd.init b/debian/sssd.init
index cc69a44..190cfe9 100644
--- a/debian/sssd.init
+++ b/debian/sssd.init
@@ -20,6 +20,7 @@ DESCRIPTION="System Security Services Daemon"
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=sssd
OPTIONS="-D"
+DAEMON_OPTS=""
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
@@ -31,11 +32,15 @@ PIDFILE=/var/run/$NAME.pid
# and status_of_proc is working.
. /lib/lsb/init-functions
+if [ -x /etc/default/sssd ] ; then
+ . /etc/default/sssd
+fi
+
initdmain() {
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION" "$NAME"
- start_daemon -p $PIDFILE $DAEMON $OPTIONS
+ start_daemon -p $PIDFILE $DAEMON $OPTIONS $DAEMON_OPTS
RC=$?
case "$RC" in
0)
diff --git a/debian/sssd.postinst b/debian/sssd.postinst
index 373faf8..d978400 100644
--- a/debian/sssd.postinst
+++ b/debian/sssd.postinst
@@ -17,13 +17,19 @@ set -e
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
-
case "$1" in
configure)
# Install default configuration file on package install
if [ -z "$2" ] && [ ! -e /etc/sssd/sssd.conf ]; then
- cp /usr/share/doc/sssd/examples/sssd.conf /etc/sssd/sssd.conf
- chmod 0600 /etc/sssd/sssd.conf
+ /usr/lib/sssd/generate-config > /etc/sssd/sssd.conf.new
+ if [ ! -s /etc/sssd/sssd.conf.new ] ; then
+ rm /etc/sssd/sssd.conf.new
+ # autodetection failed, use static example
+ cat /usr/share/doc/sssd/examples/sssd.conf > /etc/sssd/sssd.conf
+ else
+ mv /etc/sssd/sssd.conf.new /etc/sssd/sssd.conf
+ fi
+ chmod 0600 /etc/sssd/sssd.conf
fi
# Fix configuration file on package upgrade
if dpkg --compare-versions "$2" lt-nl 1.0.2-0ubuntu1; then
diff --git a/debian/sssd.preinst b/debian/sssd.preinst
index 72271b6..3ea187f 100755
--- a/debian/sssd.preinst
+++ b/debian/sssd.preinst
@@ -24,7 +24,9 @@ rm_conffile() {
}
case "$1" in
-install|upgrade)
+install)
+ ;;
+upgrade)
if dpkg --compare-versions "$2" le "1.0.5-1"; then
rm_conffile sssd "/etc/sssd/sssd.api.conf"
rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-proxy.conf"
@@ -34,6 +36,7 @@ install|upgrade)
rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-krb5.conf"
rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ldap.conf"
fi
+ ;;
esac
#DEBHELPER#
Happy hacking,
--
Petter Reinholdtsen
Reply to: