On (07/01/16 11:17), Jakub Hrozek wrote:
On Thu, Jan 07, 2016 at 10:27:29AM +0100, Lukas Slebodnik wrote:
> On (06/01/16 18:21), Lukas Slebodnik wrote:
> >ehlo,
> >
> >attached patch should fix warnings with ad provider
> >and without installed package sssd-ipa
> >
> >[sssd[be[domain.com]]] [sss_write_domain_mappings] (0x0200): Mapping file for
domain [
domain.com] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_domain.com]
> >[sssd[be[domain.com]]] [sss_write_domain_mappings] (0x0040): creating the temp
file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_domain.comkd2iik] for domain-realm
mappings failed
> >[sssd[be[domain.com]]] [sss_write_domain_mappings] (0x0080): Could not remove
file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_domain.comkd2iik]: [2]: Aucun
fichier ou dossier de ce type
> >
> >LS
>
> >From 446c1c82b79310ae1f6494d4b219316d6ed8ec01 Mon Sep 17 00:00:00 2001
> >From: Lukas Slebodnik <lslebodn(a)redhat.com>
> >Date: Wed, 6 Jan 2016 18:09:16 +0100
> >Subject: [PATCH] SPEC: Change package ownership of
> > %{pubconfpath}/krb5.include.d
> >
> >krb5 domain mapping files are stored to the directory
> >%{pubconfpath}/krb5.include.d. It can be stored by ipa or ad provider.
> >However this directory was owned by sub-package sssd-ipa. And ad provider
> >can be installed without this package. Therefore %{pubconfpath}/krb5.include.d
> >should be owned by common dependency.
> >---
> > contrib/sssd.spec.in | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> >diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
> >index
710ba92209d4a4d6e45b63bf7bf693fd5ec5f490..5f6880a1d30454f365ea6c596299a13b6b3121fe 100644
> >--- a/contrib/sssd.spec.in
> >+++ b/contrib/sssd.spec.in
> >@@ -733,6 +733,7 @@ rm -rf $RPM_BUILD_ROOT
> > %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
> > %attr(755,sssd,sssd) %dir %{pipepath}
> > %attr(755,sssd,sssd) %dir %{pubconfpath}
> >+%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
> I only moved this line from one package to another.
> But I wonder why the directory is owned by root.
> sssd will not be able to write domain mappings in non-root mode.
This looks like a bug, when I install from source, the directory is
owned by sssd.sssd.
Yes, this directory part of "array" SSSD_USER_DIRS in makefile
So it had correct permissions.
Updated patch is attached.
btw when I tested this, I think I found another issue -- we try to
bump
the mtime of /etc/krb5.conf, but since the file is only writable by
root, we fail:
(Thu Jan 7 10:11:00 2016) [sssd[be[ipa.test]]] [sss_write_domain_mappings] (0x0200):
Mapping file for domain [ipa.test] is
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_test]
(Thu Jan 7 10:12:04 2016) [sssd[be[ipa.test]]] [sss_krb5_touch_config] (0x0020):
Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
I wonder if we should open krb.conf during startup and then call
futimens() instead?
file a bug.
LS