Author: jsuchome Date: Fri Mar 18 11:17:46 2011 New Revision: 63592 URL: http://svn.opensuse.org/viewcvs/yast?rev=63592&view=rev Log: (backporting SSSD feature from 11.4:) - do not use pam_krb5 when sssd is configured (fate#308902) - when sssd is configured, update sssd.conf's kerberos values - agent for krb5.conf moved to yast2-pam to be usable by ldap-client - do not install pam_krb5 if sssd is configured (bnc#666186) - show an info that sssd is configured (fate#308902) - 2.17.9 Removed: branches/SuSE-Code-11-SP2-Branch/kerberos-client/agents/etc_krb5_conf.scr Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/VERSION branches/SuSE-Code-11-SP2-Branch/kerberos-client/package/yast2-kerberos-client.changes branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/Kerberos.ycp branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/dialogs.ycp branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.rnc branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.ycp branches/SuSE-Code-11-SP2-Branch/kerberos-client/testsuite/tests/Read.out branches/SuSE-Code-11-SP2-Branch/kerberos-client/yast2-kerberos-client.spec.in Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/VERSION URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/VERSION?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/VERSION (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/VERSION Fri Mar 18 11:17:46 2011 @@ -1 +1 @@ -2.17.8 +2.17.9 Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/package/yast2-kerberos-client.changes URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/package/yast2-kerberos-client.changes?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/package/yast2-kerberos-client.changes (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/package/yast2-kerberos-client.changes Fri Mar 18 11:17:46 2011 @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Fri Mar 18 10:45:39 CET 2011 - jsuchome@suse.cz + +- do not use pam_krb5 when sssd is configured (fate#308902) +- when sssd is configured, update sssd.conf's kerberos values +- agent for krb5.conf moved to yast2-pam to be usable by ldap-client +- do not install pam_krb5 if sssd is configured (bnc#666186) +- show an info that sssd is configured (fate#308902) +- 2.17.9 + +------------------------------------------------------------------- Mon Feb 8 11:11:06 CET 2010 - jsuchome@suse.cz - leave DNS checkbox disabled when DNS info is not available Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/Kerberos.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/Kerberos.ycp?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/Kerberos.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/Kerberos.ycp Fri Mar 18 11:17:46 2011 @@ -107,6 +107,9 @@ // if DNS is used for retrieving configuration data global boolean dns_used = false; +// if sssd is configured, do not use pam_krb5 +global boolean sssd = false; + /** map with the settings configurable in the expert tabs */ @@ -151,6 +154,8 @@ ExpertSettings = client["ExpertSettings"]:$[]; if (!haskey (ExpertSettings, "use_shmem") && haskey (client, "use_shmem")) ExpertSettings["use_shmem"] = use_shmem; + + sssd = settings["sssd"]:sssd; pam_modified = true; modified = true; ssh_modified = true; @@ -167,6 +172,7 @@ map export_map = $[ "pam_login": $[ "use_kerberos" : use_pam_krb, + "sssd" : sssd, ], "kerberos_client": $[ "default_domain" : default_domain, @@ -432,6 +438,8 @@ if (ssh_support == nil) ssh_support = false; + sssd = Pam::Enabled ("sss"); + return true; } @@ -499,7 +507,26 @@ // -- pam settings if (pam_modified || write_only) { - if (use_pam_krb) + // whem sssd is configured, do not use pam_krb5 and update sssd.conf + // fate#308902 + if (sssd) + { + y2milestone ("not using pam_krb5 because sssd is configured"); + Pam::Remove ("krb5"); + + y2milestone ("updating sssd.conf with new kerberos values"); + + path domain = add (.etc.sssd_conf.v, "domain/default"); + SCR::Write (add (domain, "auth_provider"), "krb5"); + SCR::Write (add (domain, "chpass_provider"), "krb5"); + SCR::Write (add (domain, "krb5_realm"), default_realm); + SCR::Write (add (domain, "krb5_kdcip"), kdc); + if (!SCR::Write(.etc.sssd_conf, nil)) + { + y2error ("error writing ldap.conf file"); + } + } + else if (use_pam_krb) { Pam::Add ("krb5"); // If ldap is configured we need to change it to ldap-account_only @@ -740,13 +767,27 @@ return ret; } +/* + * Return the list of packages for kerberos configuration + */ +global list<string> RequiredPackages () { + + list<string> packages = required_packages; + // do not install pam_krb5 if sssd is configured + if (sssd) + { + packages = filter (string p, packages, ``(p != "pam_krb5")); + } + return packages; +} + /** * Return required packages for auto-installation * @return map of packages to be installed and to be removed */ global define map AutoPackages() { return ($[ - "install": UpdatedArchPackages (required_packages), + "install": UpdatedArchPackages (RequiredPackages ()), "remove": [] ]); } Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/dialogs.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/dialogs.ycp?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/dialogs.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/dialogs.ycp Fri Mar 18 11:17:46 2011 @@ -383,7 +383,7 @@ } if (result == `next && use_pam_krb) { - if (!Package::InstallAll (Kerberos::UpdatedArchPackages (Kerberos::required_packages))) + if (!Package::InstallAll (Kerberos::UpdatedArchPackages (Kerberos::RequiredPackages ()))) { result = `not_next; use_pam_krb = false; @@ -392,6 +392,14 @@ UI::ChangeWidget (`id (widget), `Enabled, use_pam_krb); }); } + if (Kerberos::sssd) + { + // popup message + Popup::Message ("System Security Services Daemon (SSSD) is configured. +It is in use for Kerberos authentication instead of pam_krb5. + +You can disable SSSD in yast2 ldap-client module."); + } } } while (!contains ([`back, `cancel, `abort, `next, `advanced], result)); Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.rnc URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.rnc?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.rnc (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.rnc Fri Mar 18 11:17:46 2011 @@ -9,7 +9,8 @@ pam_login = element pam_login { - element use_kerberos { BOOLEAN }? + element use_kerberos { BOOLEAN }? & + element sssd { BOOLEAN }? } kerberos_client = element kerberos_client { Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.ycp URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.ycp?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.ycp (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/src/kerberos.ycp Fri Mar 18 11:17:46 2011 @@ -213,7 +213,7 @@ */ define boolean KerberosWrite () { - if (!Package::InstallAll (Kerberos::UpdatedArchPackages (Kerberos::required_packages))) + if (!Package::InstallAll (Kerberos::UpdatedArchPackages (Kerberos::RequiredPackages ()))) return false; return Kerberos::Write (); } Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/testsuite/tests/Read.out URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/testsuite/tests/Read.out?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/testsuite/tests/Read.out (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/testsuite/tests/Read.out Fri Mar 18 11:17:46 2011 @@ -31,6 +31,7 @@ Dir .etc.ssh.ssh_config.v."*": ["GSSAPIAuthentication", "GSSAPIDelegateCredentials"] Read .etc.ssh.ssh_config.v."*"."GSSAPIAuthentication" "yes" Read .etc.ssh.ssh_config.v."*"."GSSAPIDelegateCredentials" "yes" +Execute .target.bash_output "pam-config -q --sss" $["stdout":"password: "] Return true Dump ============================================ Dump kerberos used: true @@ -47,6 +48,7 @@ Dir .etc.ssh.ssh_config.v."*": ["GSSAPIAuthentication", "GSSAPIDelegateCredentials"] Read .etc.ssh.ssh_config.v."*"."GSSAPIAuthentication" "yes" Read .etc.ssh.ssh_config.v."*"."GSSAPIDelegateCredentials" "yes" +Execute .target.bash_output "pam-config -q --sss" $["stdout":"password: "] Return true Dump default realm: SUSE.CZ Dump ============================================ Modified: branches/SuSE-Code-11-SP2-Branch/kerberos-client/yast2-kerberos-client.spec.in URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP2-Branch/kerberos-client/yast2-kerberos-client.spec.in?rev=63592&r1=63591&r2=63592&view=diff ============================================================================== --- branches/SuSE-Code-11-SP2-Branch/kerberos-client/yast2-kerberos-client.spec.in (original) +++ branches/SuSE-Code-11-SP2-Branch/kerberos-client/yast2-kerberos-client.spec.in Fri Mar 18 11:17:46 2011 @@ -3,8 +3,8 @@ @HEADER@ BuildRequires: doxygen perl-XML-Writer update-desktop-files yast2 yast2-devtools yast2-pam yast2-testsuite -# new Pam.ycp API -Requires: yast2-pam >= 2.14.0 +# etc_krb5_conf.scr +Requires: yast2-pam >= 2.17.3 # Hostname::CurrentDomain, CurrentHostname Requires: yast2 >= 2.16.48 -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org