Customized /etc/realmd.conf being overwritten

[jaredmarcuccilli]

Hello!

I am trying to work around this issue, where "realm join" overwrites a hardened password-auth/system-auth with authselect:
https://issues.redhat.com/browse/RHEL-5101
https://access.redhat.com/solutions/5956991

A suggested workaround is to customize /etc/realmd.conf to include these:

[commands]
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
sssd-disable-logins = sssd-disable-logins = /bin/true

However, realmd.conf gets overwritten when the template is applied. An alternative would be to edit /usr/lib/realmd/realmd-distro.conf directly, but it would be nice if the role could accommodate customization of realmd.conf.

[richm]

I would prefer to keep the template based implementation of realmd.conf, rather than moving to use lineinfile or blockinfile.
What if we introduce a parameter like ad_integration_preserve_custom_sssd_profile: true|false

then in the template

{% if ad_integration_preserve_custom_sssd_profile %}
[commands]
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
sssd-disable-logins = /bin/true
{% endif %}

@justin-stephenson @jakub-vavra-cz wdyt?

[jakub-vavra-cz]

Well realmd.conf is unfortunately a file not owned by realmd package so we can not check if user changed it by rpm -V realmd.
We can stat if it exists and if does not, use the template.
If it exists and does not have our ansible signature we can apply block in file (showing warning that this is not recommended). If it exist and has our ansible signature we can just silently replace it with template.

[richm]

Well realmd.conf is unfortunately a file not owned by realmd package so we can not check if user changed it by rpm -V realmd.

But can it be owned by the ad_integration role? Can we say "if you use the ad_integration role to manage realmd.conf, you cannot be guaranteed to preserve any edits made to realmd.conf outside of the ad_integration role." Note that most other system roles work the same way - you use the system role to manage the resource, and any changes made outside of the system role will be wiped out by the role.

We can stat if it exists and if does not, use the template. If it exists and does not have our ansible signature we can apply block in file (showing warning that this is not recommended). If it exist and has our ansible signature we can just silently replace it with template.

If we have to code it up in such a way that any/every change made to realmd.conf outside of the role must be preserved, then we are going to make the role very complicated . . .

[justin-stephenson]

I would prefer to keep the template based implementation of realmd.conf, rather than moving to use lineinfile or blockinfile. What if we introduce a parameter like ad_integration_preserve_custom_sssd_profile: true|false

then in the template

{% if ad_integration_preserve_custom_sssd_profile %}
[commands]
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
sssd-disable-logins = /bin/true
{% endif %}

@justin-stephenson @jakub-vavra-cz wdyt?

These realmd changes are just a workaround, it would be cleaner to have a proper solution to this (something similar to the realm join argument --do-not-touch-config). That said I don't know when that feature will be developed so for now I am fine with this proposed approach, ad_integration_preserve_authselect_profile would be more valid.

I would also add a comment in this template

Remove authselect command from `sssd-enable-logins` to avoid overwriting previous PAM/nsswitch changes, until https://issues.redhat.com/browse/RHEL-5101 is addressed.

Or maybe putting this in the README for the role variable is enough.

[richm]

I would prefer to keep the template based implementation of realmd.conf, rather than moving to use lineinfile or blockinfile. What if we introduce a parameter like ad_integration_preserve_custom_sssd_profile: true|false
then in the template

{% if ad_integration_preserve_custom_sssd_profile %}
[commands]
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
sssd-disable-logins = /bin/true
{% endif %}

@justin-stephenson @jakub-vavra-cz wdyt?

These realmd changes are just a workaround, it would be cleaner to have a proper solution to this (something similar to the realm join argument --do-not-touch-config). That said I don't know when that feature will be developed so for now I am fine with this proposed approach, ad_integration_preserve_authselect_profile would be more valid.

I would also add a comment in this template

Remove authselect command from `sssd-enable-logins` to avoid overwriting previous PAM/nsswitch changes, until https://issues.redhat.com/browse/RHEL-5101 is addressed.

Or maybe putting this in the README for the role variable is enough.

#79

[richm]

@jaredmarcuccilli can you test #79 ?

[jaredmarcuccilli]

@jaredmarcuccilli can you test #79 ?

Worked exactly as expected, my PAM files are intact. Thanks for adding this so quickly.

[richm]

merged #79