Remove the --no-sssd option from ipa-client-automount

This makes automount configurable only using sssd and not LDAP. The reason is that authselect 1.3 no longer supports user-nsswitch.conf which is where we made direct changes to the nss configuration on Fedora/RHEL. The equivalent option was removed from ipa-client-install in https://pagure.io/freeipa/issue/7671 Fixes: https://pagure.io/freeipa/issue/9084 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-02-08 17:01:08 -05:00
parent 3e8a355dd4
commit c46ea21ed3
8 changed files with 25 additions and 214 deletions
--- a/client/man/ipa-client-automount.1
+++ b/client/man/ipa-client-automount.1
@@ -24,14 +24,12 @@ ipa\-client\-automount [\fIOPTION\fR]... <location>
 .SH "DESCRIPTION"
 Configures automount for IPA.

-The automount configuration consists of three files:
+The automount configuration consists of two files:
 .PP
 .IP  o
 /etc/nsswitch.conf
 .IP  o
 /etc/sysconfig/autofs
-.IP  o
-/etc/autofs_ldap_auth.conf

 .TP
 By default this will use DNS discovery to attempt to determine the IPA server(s) to use. If IPA servers are discovered then the automount client will be configured to use DNS discovery.
@@ -42,9 +40,9 @@ The default automount location is named default. To specify a different one use
 .TP
 The IPA client must already be configured in order to configure automount. The IPA client is configured as part of a server installation.
 .TP
-There are two ways to configure automount. The default is to use sssd to manage the automount maps. Alternatively autofs can configured to bind to LDAP over GSSAPI and authenticate using the machine's host principal.
+SSSD is configured to manage the automount maps.
 .TP
-The nsswitch automount service is configured to use either sss or ldap and files depending on whether SSSD is configured or not.
+The nss automount service is configured to use sss and files.
 .TP
 NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
 .SH "OPTIONS"
@@ -54,9 +52,6 @@ Set the FQDN of the IPA server to connect to.
 \fB\-\-location\fR=\fILOCATION\fR
 Automount location.
 .TP
-\fB\-S\fR, \fB\-\-no\-sssd\fR
-Do not configure the client to use SSSD for automount.
-.TP
 \fB\-\-idmap\-domain\fR=\fIIDMAP_DOMAIN\fR
 NFS domain for idmapd.conf. If unset, defaults to the IPA domain. If set to DNS, let idmapd or nfsidmap determine the domain from DNS (see idmapd(8) or nfsidmap(5) for details). If set to anything else, set idmapd.conf's Domain entry to that value.
 .TP
@@ -71,21 +66,12 @@ Restore the automount configuration files.

 .SH "FILES"
 .TP
-Files that will be always be configured:
+Files that will be configured:

 /etc/nsswitch.conf
-.TP
-Files that will be configured when SSSD is the automount client (default):

 /etc/sssd/sssd.conf

-.TP
-Files that will be configured when using the ldap automount client:
-
-/etc/sysconfig/autofs
-
-/etc/autofs_ldap_auth.conf
-
 .SH "EXIT STATUS"
 0 if the installation was successful

--- a/ipaclient/install/ipa_client_automount.py
+++ b/ipaclient/install/ipa_client_automount.py
@@ -29,12 +29,7 @@ import shutil
 import time
 import tempfile
 import gssapi
-import warnings

-try:
-    from xml.etree import cElementTree as etree
-except ImportError:
-    from xml.etree import ElementTree as etree
 import SSSDConfig

 from six.moves.urllib.parse import urlsplit
@@ -52,7 +47,6 @@ from ipalib.install.kinit import kinit_keytab
 from ipalib.util import check_client_configuration
 from ipapython import ipautil
 from ipapython.ipa_log_manager import standard_logging_setup
-from ipapython.dn import DN
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform import services
@@ -73,14 +67,6 @@ def parse_options():
        default="default",
        help="Automount location",
    )
-    parser.add_option(
-        "-S",
-        "--no-sssd",
-        dest="sssd",
-        action="store_false",
-        default=True,
-        help="Do not configure the client to use SSSD for automount",
-    )
    parser.add_option(
        "--idmap-domain",
        dest="idmapdomain",
@@ -147,52 +133,6 @@ def wait_for_sssd():
        )


-def configure_xml(fstore):
-    authconf = paths.AUTOFS_LDAP_AUTH_CONF
-    fstore.backup_file(authconf)
-
-    try:
-        tree = etree.parse(authconf)
-    except IOError as e:
-        logger.debug('Unable to open file %s', e)
-        logger.debug('Creating new from template')
-        tree = etree.ElementTree(
-            element=etree.Element('autofs_ldap_sasl_conf')
-        )
-
-    element = tree.getroot()
-    if element.tag != 'autofs_ldap_sasl_conf':
-        raise RuntimeError('Invalid XML root in file %s' % authconf)
-
-    element.set('usetls', 'no')
-    element.set('tlsrequired', 'no')
-    element.set('authrequired', 'yes')
-    element.set('authtype', 'GSSAPI')
-    element.set('clientprinc', 'host/%s@%s' % (api.env.host, api.env.realm))
-
-    try:
-        tree.write(authconf, xml_declaration=True, encoding='UTF-8')
-    except IOError as e:
-        print("Unable to write %s: %s" % (authconf, e))
-    else:
-        print("Configured %s" % authconf)
-
-
-def configure_nsswitch(statestore, options):
-    """
-    This function was deprecated. Use ipaplatform.tasks.
-
-    Point automount to ldap in nsswitch.conf.
-    This function is for non-SSSD setups only.
-    """
-    warnings.warn(
-        "Use ipaplatform.tasks.tasks.enable_ldap_automount",
-        DeprecationWarning,
-        stacklevel=2
-    )
-    return tasks.enable_ldap_automount(statestore)
-
-
 def configure_autofs_sssd(fstore, statestore, autodiscover, options):
    try:
        sssdconfig = SSSDConfig.SSSDConfig()
@@ -248,43 +188,6 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
    wait_for_sssd()


-def configure_autofs(fstore, statestore, autodiscover, server, options):
-    """
-    fstore: the FileStore to back up files in
-    options.server: the IPA server to use
-    options.location: the Automount location to use
-    """
-    if not autodiscover:
-        ldap_uri = "ldap://%s" % server
-    else:
-        ldap_uri = "ldap:///%s" % api.env.basedn
-
-    search_base = str(
-        DN(
-            ('cn', options.location),
-            api.env.container_automount,
-            api.env.basedn,
-        )
-    )
-    replacevars = {
-        'MAP_OBJECT_CLASS': 'automountMap',
-        'ENTRY_OBJECT_CLASS': 'automount',
-        'MAP_ATTRIBUTE': 'automountMapName',
-        'ENTRY_ATTRIBUTE': 'automountKey',
-        'VALUE_ATTRIBUTE': 'automountInformation',
-        'SEARCH_BASE': search_base,
-        'LDAP_URI': ldap_uri,
-    }
-
-    ipautil.backup_config_and_replace_variables(
-        fstore, paths.SYSCONFIG_AUTOFS, replacevars=replacevars
-    )
-    tasks.restore_context(paths.SYSCONFIG_AUTOFS)
-    statestore.backup_state('autofs', 'sssd', False)
-
-    print("Configured %s" % paths.SYSCONFIG_AUTOFS)
-
-
 def configure_autofs_common(fstore, statestore, options):
    autofs = services.knownservices.autofs
    statestore.backup_state('autofs', 'enabled', autofs.is_enabled())
@@ -311,7 +214,6 @@ def configure_autofs_common(fstore, statestore, options):
 def uninstall(fstore, statestore):
    RESTORE_FILES = [
        paths.SYSCONFIG_AUTOFS,
-        paths.AUTOFS_LDAP_AUTH_CONF,
        paths.SYSCONFIG_NFS,
        paths.IDMAPD_CONF,
    ]
@@ -572,16 +474,8 @@ def configure_automount():
        sys.exit("Installation aborted")

    try:
-        if not options.sssd:
-            tasks.enable_ldap_automount(statestore)
        configure_nfs(fstore, statestore, options)
-        if options.sssd:
-            configure_autofs_sssd(fstore, statestore, autodiscover, options)
-        else:
-            configure_xml(fstore)
-            configure_autofs(
-                fstore, statestore, autodiscover, server, options
-            )
+        configure_autofs_sssd(fstore, statestore, autodiscover, options)
        configure_autofs_common(fstore, statestore, options)
    except Exception as e:
        logger.debug('Raised exception %s', e)
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -36,7 +36,6 @@ class BasePathNamespace:
    SYSTEMD_DETECT_VIRT = "/usr/bin/systemd-detect-virt"
    SYSTEMD_TMPFILES = "/bin/systemd-tmpfiles"
    TAR = "/bin/tar"
-    AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
    ETC_FEDORA_RELEASE = "/etc/fedora-release"
    GROUP = "/etc/group"
    ETC_HOSTNAME = "/etc/hostname"
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -472,43 +472,6 @@ class BaseTaskNamespace:
            fstore, 'sudoers', ['sss'],
            default_value=['files'])

-    def enable_ldap_automount(self, statestore):
-        """
-        Point automount to ldap in nsswitch.conf.
-        This function is for non-SSSD setups only.
-        """
-        conf = IPAChangeConf("IPA Installer")
-        conf.setOptionAssignment(':')
-
-        with open(paths.NSSWITCH_CONF, 'r') as f:
-            current_opts = conf.parse(f)
-            current_nss_value = conf.findOpts(
-                current_opts, name='automount', type='option'
-            )[1]
-            if current_nss_value is None:
-                # no automount database present
-                current_nss_value = False  # None cannot be backed up
-            else:
-                current_nss_value = current_nss_value['value']
-            statestore.backup_state(
-                'ipa-client-automount-nsswitch', 'previous-automount',
-                current_nss_value
-            )
-
-        nss_value = ' files ldap'
-        opts = [
-            {
-                'name': 'automount',
-                'type': 'option',
-                'action': 'set',
-                'value': nss_value,
-            },
-            {'name': 'empty', 'type': 'empty'},
-        ]
-        conf.changeConf(paths.NSSWITCH_CONF, opts)
-
-        logger.info("Configured %s", paths.NSSWITCH_CONF)
-
    def disable_ldap_automount(self, statestore):
        """Disable automount using LDAP"""
        if statestore.get_state(
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -17,7 +17,6 @@ MULTIARCH = sysconfig.get_config_var('MULTIARCH')

 class DebianPathNamespace(BasePathNamespace):
    BIN_HOSTNAMECTL = "/usr/bin/hostnamectl"
-    AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
    ETC_HTTPD_DIR = "/etc/apache2"
    HTTPD_ALIAS_DIR = "/etc/apache2/ipa"
    HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
--- a/ipaplatform/debian/tasks.py
+++ b/ipaplatform/debian/tasks.py
@@ -202,11 +202,7 @@ Serial Number (hex): {cert.serial_number:#x}

        return True

-    # Debian doesn't use authselect, so call enable/disable_ldap_automount
-    # from BaseTaskNamespace.
-    def enable_ldap_automount(self, statestore):
-        return BaseTaskNamespace.enable_ldap_automount(self, statestore)
-
+    # Debian doesn't use authselect, so call disable_ldap_automount
    def disable_ldap_automount(self, statestore):
        return BaseTaskNamespace.disable_ldap_automount(self, statestore)

--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -759,17 +759,6 @@ class RedHatTaskNamespace(BaseTaskNamespace):
    def enable_sssd_sudo(self, _fstore):
        """sudo enablement is handled by authselect"""

-    def enable_ldap_automount(self, statestore):
-        """
-        Point automount to ldap in nsswitch.conf.
-        This function is for non-SSSD setups only.
-        """
-        super(RedHatTaskNamespace, self).enable_ldap_automount(statestore)
-
-        authselect_cmd = [paths.AUTHSELECT, "enable-feature",
-                          "with-custom-automount"]
-        ipautil.run(authselect_cmd)
-
    def disable_ldap_automount(self, statestore):
        """Disable ldap-based automount"""
        super(RedHatTaskNamespace, self).disable_ldap_automount(statestore)
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -288,10 +288,7 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
            tasks.uninstall_client(self.clients[0])
        request.addfinalizer(fin)

-    def nsswitch_backup_restore(
-        self,
-        no_sssd=False,
-    ):
+    def nsswitch_backup_restore(self):

        # In order to get a more pure sum, one that ignores the Generated
        # header and any whitespace we have to do a bit of work...
@@ -309,23 +306,15 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
        cmd = self.clients[0].run_command(grep_automount_command)
        after_ipa_client_install = cmd.stdout_text.split()

-        if no_sssd:
-            ipa_client_automount_command = [
-                "ipa-client-automount", "--no-sssd", "-U"
-            ]
-        else:
-            ipa_client_automount_command = [
-                "ipa-client-automount", "-U"
-            ]
+        ipa_client_automount_command = [
+            "ipa-client-automount", "-U"
+        ]
        self.clients[0].run_command(ipa_client_automount_command)
        cmd = self.clients[0].run_command(grep_automount_command)
        after_ipa_client_automount = cmd.stdout_text.split()
-        if no_sssd:
-            assert after_ipa_client_automount == ['files', 'ldap']
-        else:
-            # The default order depends on the authselect version
-            # but we only care about the list of sources, not their order
-            assert sorted(after_ipa_client_automount) == ['files', 'sss']
+        # The default order depends on the authselect version
+        # but we only care about the list of sources, not their order
+        assert sorted(after_ipa_client_automount) == ['files', 'sss']

        cmd = self.clients[0].run_command(grep_automount_command)
        assert cmd.stdout_text.split() == after_ipa_client_automount
@@ -334,19 +323,18 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
            "ipa-client-automount", "--uninstall", "-U"
        ])

-        if not no_sssd:
-            # https://pagure.io/freeipa/issue/8190
-            # check that no ipa_automount_location is left in sssd.conf
-            # also check for autofs_provider for good measure
-            grep_automount_in_sssdconf_cmd = \
-                "egrep ipa_automount_location\\|autofs_provider " \
-                "/etc/sssd/sssd.conf"
-            cmd = self.clients[0].run_command(
-                grep_automount_in_sssdconf_cmd, raiseonerr=False
-            )
-            assert cmd.returncode == 1, \
-                "PG8190 regression found: ipa_automount_location still " \
-                "present in sssd.conf"
+        # https://pagure.io/freeipa/issue/8190
+        # check that no ipa_automount_location is left in sssd.conf
+        # also check for autofs_provider for good measure
+        grep_automount_in_sssdconf_cmd = \
+            "egrep ipa_automount_location\\|autofs_provider " \
+            "/etc/sssd/sssd.conf"
+        cmd = self.clients[0].run_command(
+            grep_automount_in_sssdconf_cmd, raiseonerr=False
+        )
+        assert cmd.returncode == 1, \
+            "PG8190 regression found: ipa_automount_location still " \
+            "present in sssd.conf"

        cmd = self.clients[0].run_command(grep_automount_command)
        assert cmd.stdout_text.split() == after_ipa_client_install
@@ -367,6 +355,3 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):

    def test_nsswitch_backup_restore_sssd(self):
        self.nsswitch_backup_restore()
-
-    def test_nsswitch_backup_restore_no_sssd(self):
-        self.nsswitch_backup_restore(no_sssd=True)