[Freeipa-devel] [freeipa PR#623][opened] client install: do not assume /etc/krb5.conf.d exists

Discussion:

HonzaCholasta

2017-03-20 06:57:51 UTC

URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: opened

PR body:
"""
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

This fixes client install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623

tiran

2017-03-20 07:58:07 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

tiran commented:
"""
I'd rather create ```/etc/krb5.conf.d``` than to make the line conditional.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287695038

HonzaCholasta

2017-03-20 08:05:14 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

HonzaCholasta commented:
"""
There is no reason to, the directory is not owned by us and we don't use it for anything anyway (see ticket triage for relevant discussion).
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287695915

puiterwijk

2017-03-20 08:25:16 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

puiterwijk commented:
"""
Would you be upgrading the krb5.conf after people upgrade krb5-libs to include the new includedir then?
Since that's what would happen if you don't change the krb5.conf and people update to a krb5-libs that has the includedir.

I've had to help a lot of people that ended up with configuration files lacking krb5.conf.d due to ipa-client setups (and other company configs, but at least that's limited to people working at companies giving broken krb5 configs).
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287698660

HonzaCholasta

2017-03-20 08:32:25 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

HonzaCholasta commented:
"""
@puiterwijk, upgrade will be handled by krb5 itself, see https://bugzilla.redhat.com/show_bug.cgi?id=1431198.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-287699765

lslebodn

2017-03-27 20:54:37 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

lslebodn commented:
"""
FYI: `/etc/krb5.conf.d` is not default include directory it is fedora/el7 specific.

debian testing has MIT kerberos 1.15 and `/etc/krb5.conf.d` does not exist there as is not included in /etc/krb5.conf.

So +1 for @HonzaCholasta approach.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289583003

lslebodn

2017-03-27 20:54:22 UTC

Permalink

tiran

2017-03-28 11:08:49 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

tiran commented:
"""
The ipa-certauth plugin now starts to rely on the existence of ```/etc/krb5.conf.d```:

```
%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
```

**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the offical FreeIPA configuation settings on all IPA enrolled systems.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289736798

lslebodn

2017-03-28 11:19:01 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

lslebodn commented:
"""

Post by tiran
```
%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
```

The upstream spec file is fedora/rhel spec files and fedora+rhel have
`%{_sysconfdir}/krb5.conf.d/`. I cannot see any problem.

Post by tiran
**Practicality beats purity**, let's make ```/etc/krb5.conf.d``` part of the offical FreeIPA configuation settings on all IPA enrolled systems.

But neither debian nor arch linux/opensuse have this directory(or any other)
included by default in `/etc/krb5.conf`.

I would like to see standard directory for krb5 snippet files.
But that should be solved in distribution. And just used by freeipa.

LS

"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289738839

tiran

2017-03-28 12:00:30 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

tiran commented:
"""
**Practicality beats purity**

<tjaalton> fine by me

"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289747474

HonzaCholasta

2017-03-28 12:45:39 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Author: HonzaCholasta
Title: #623: client install: do not assume /etc/krb5.conf.d exists
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/623/head:pr623
git checkout pr623

frozencemetery

2017-03-28 16:18:26 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/623
Title: #623: client install: do not assume /etc/krb5.conf.d exists

frozencemetery commented:
"""
(Note: a standard directory in distributions that freeipa could use would be provided by the krb5 maintainer, not the freeipa maintainer.)
"""

See the full comment at https://github.com/freeipa/freeipa/pull/623#issuecomment-289823559