Installer: add --subid option to select the sssd profile with-subid

Add the --subid option to client, server and replica installers. This option allows to configure authselect with the sssd profile + with-subid feature, in order to have SSSD setup as a datasource for subid in /etc/nsswitch.conf. The default behavior remains unchanged: without the option, /etc/nsswitch.conf keeps the line subid: files Fixes: https://pagure.io/freeipa/issue/9159 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-05-18 17:38:05 +02:00 · 2022-05-18 17:38:05 +02:00 · 571b6b81c3
commit 571b6b81c3
parent aa6db128a7
10 changed files with 29 additions and 9 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -653,7 +653,12 @@ Requires: python3-sssdconfig >= %{sssd_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
-Requires: authselect >= 0.4-2
+# authselect: sssd profile with-subid
 %if 0%{?fedora} >= 36
 Requires: authselect >= 1.4.0
 %else
 Requires: authselect >= 1.2.5
 %endif
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
 # All Fedora 28+ and RHEL8+ contain the service in hostname package
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -3157,7 +3157,8 @@ def _install(options):
            sssd=options.sssd,
            mkhomedir=options.mkhomedir,
            statestore=statestore,
-            sudo=options.conf_sudo
+            sudo=options.conf_sudo,
            subid=options.subid
        )
        # if mkhomedir, make sure oddjobd is enabled and started
        if options.mkhomedir:
@ -3814,6 +3815,12 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface,
    )
    no_sudo = enroll_only(no_sudo)
    subid = knob(
        None,
        description="configure SSSD as data source for subid",
    )
    subid = enroll_only(subid)
    no_dns_sshfp = knob(
        None,
        description="do not automatically create DNS SSHFP records",
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@ -200,7 +200,7 @@ class BaseTaskNamespace:
        raise NotImplementedError()
    def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
-                                  sudo=True):
+                                  sudo=True, subid=False):
        """
        If sssd flag is true, configure pam and nsswitch so that SSSD is used
        for retrieving user information and authentication.
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@ -42,7 +42,8 @@ class DebianTaskNamespace(RedHatTaskNamespace):
        return True
    @staticmethod
-    def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True):
+    def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore, sudo=True,
                                  subid=False):
        if mkhomedir:
            try:
                ipautil.run(["pam-auth-update",
--- a/ipaplatform/fedora_container/tasks.py
+++ b/ipaplatform/fedora_container/tasks.py
@ -13,7 +13,7 @@ logger = logging.getLogger(__name__)
 class FedoraContainerTaskNamespace(FedoraTaskNamespace):
    def modify_nsswitch_pam_stack(
-        self, sssd, mkhomedir, statestore, sudo=True
+        self, sssd, mkhomedir, statestore, sudo=True, subid=False
    ):
        # freeipa-container images are preconfigured
        # authselect select sssd with-sudo --force
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@ -101,7 +101,8 @@ class RedHatAuthSelect(RedHatAuthToolBase):
        features = output_items[1:]
        return profile, features
-    def configure(self, sssd, mkhomedir, statestore, sudo=True):
+    def configure(self, sssd, mkhomedir, statestore, sudo=True,
                  subid=False):
        # In the statestore, the following keys are used for the
        # 'authselect' module:
        # Old method:
@ -121,6 +122,8 @@ class RedHatAuthSelect(RedHatAuthToolBase):
            statestore.backup_state('authselect', 'mkhomedir', True)
        if sudo:
            cmd.append("with-sudo")
        if subid:
            cmd.append("with-subid")
        cmd.append("--force")
        cmd.append("--backup={}".format(backup_name))
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -245,9 +245,9 @@ class RedHatTaskNamespace(BaseTaskNamespace):
            f.writelines(content)
    def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore,
-                                  sudo=True):
+                                  sudo=True, subid=False):
        auth_config = get_auth_tool()
-        auth_config.configure(sssd, mkhomedir, statestore, sudo)
+        auth_config.configure(sssd, mkhomedir, statestore, sudo, subid)
    def is_nosssd_supported(self):
        # The flag --no-sssd is not supported any more for rhel-based distros
--- a/ipaplatform/rhel_container/tasks.py
+++ b/ipaplatform/rhel_container/tasks.py
@ -13,7 +13,7 @@ logger = logging.getLogger(__name__)
 class RHELContainerTaskNamespace(RHELTaskNamespace):
    def modify_nsswitch_pam_stack(
-        self, sssd, mkhomedir, statestore, sudo=True
+        self, sssd, mkhomedir, statestore, sudo=True, subid=False
    ):
        # freeipa-container images are preconfigured
        # authselect select sssd with-sudo --force
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -994,6 +994,8 @@ def install(installer):
            args.append("--no-sshd")
        if options.mkhomedir:
            args.append("--mkhomedir")
        if options.subid:
            args.append("--subid")
        start = time.time()
        run(args, redirect_output=True)
        dur = time.time() - start
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -720,6 +720,8 @@ def ensure_enrolled(installer):
        args.append("--no-sshd")
    if installer.mkhomedir:
        args.append("--mkhomedir")
    if installer.subid:
        args.append("--subid")
    if installer.force_join:
        args.append("--force-join")
    if installer.no_ntp: