On Mon, Apr 29, 2019 at 08:59:32AM +0200, Pavel Březina wrote:
On 4/28/19 7:04 PM, Spike White wrote:
BTW,
Even if beforehand in authselect I create a custom profile and set /etc/authselect/authselect.conf to this custom/profile.
When I run 'realm join', it still invokes:
* /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Hi,
AFAIK there is no way to tell realm not to call authselect. But realm is usually run only once so you can always call authselect select custom/profile after you call realm join.
If this is not enough for some reason, you need to file RFE against realmd.
Hi,
there is no command line option, but in /usr/lib/realmd/realmd-distro.conf it is defined how authselect is called by realmd.
I think if you add
[commands] sssd-enable-logins = /usr/bin/sh -c "/usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service" sssd-disable-logins = /bin/true
to /etc/realmd.conf authselect will not be called anymore. Or you can use something like
sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select your-custom-profike with-your-options --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
to tell realmd to use you profile.
HTH
bye, Sumit
^^^^^^^^^^^^^^^^^^^^^^^^^^
That is, it overwrites my already-set up /etc/authselect/authselect.conf
custom/profile
with this content:
[root@rhel8test01 authselect]# cat authselect.conf sssd with-mkhomedir
Spike
On Sun, Apr 28, 2019 at 11:46 AM Spike White <spikewhitetx@gmail.com mailto:spikewhitetx@gmail.com> wrote:
All, Basically here is the realm command we use to join the appropriate regional AD domain: realm join -v --automatic-id-mapping=no --computer-ou="OU=Servers,OU=UNIX,DC=$SUPPORTREGION,DC=COMPANY,DC=COM"
--user-principal="host/`hostname --fqdn`@$JOINDOMAIN" $JOINDOMAIN
As part of this, realm join internally runs the following command: * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service But that sets /etc/pam.d/password-auth and /etc/pam.d/system-auth to a sub-optimal PAM stack. I.e., not what we desire. For example, 99.9% of our users are in AD. So we want to run pam_sssd *before* pam_unix. We are very comfortable with testing and debugging PAM stacks. We have a stable, tested PAM stack that works great -- ever since RHEL7. Basically, after the 'realm join' above is done, we have to overwrite /etc/pam.d/{system-auth,password-auth,postlogin} with what we desire. If 'realm join' can't be convinced to not run authselect, we're ok with creating a custom/profile authselect profile with what we want. And then convince realm join to run: authselect select custom/profile Instead of the above authselect select sssd Prior to running 'realm join', I have to drop down a /etc/realmd.conf file so that the 'realm join' behaves as I want it to. Is there any option in realmd.conf to not run authselect or tailor the authselect command? Or may a flag on the 'realm discover' command line? I don't remember any of these problems with realm join on RHEL7.
Maybe it was running authconfig inappropriately as well -- and I just never noticed, because I over-wrote with desired PAM stack?
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...