[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 3 commits: Rework sssd configuration, thanks to Mike Gabriel. (Closes: #977462)

Wolfgang Schweer gitlab at salsa.debian.org
Thu Dec 17 10:12:27 GMT 2020 


Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
24bc342f by Wolfgang Schweer at 2020-12-17T11:07:03+01:00
Rework sssd configuration, thanks to Mike Gabriel. (Closes: #977462)

share/debian-edu-config/tools/sssd-generate-config:
  Cleanup the included HERE documents (configuration snippets) from entries
  that are either default ones (like excluding the root user), obsolete, no
  longer in use or non-existent; also correct the wrong AD related one.

  As systemd is used, sssd services are now activated via sockets. The
 'service' configuration stanza needs to be empty to avoid starting
  permanently running processes. this also aviods spamming syslog with error
  messages.

- - - - -
82fd2422 by Wolfgang Schweer at 2020-12-17T11:08:59+01:00
Adjust the static etc/sssd/sssd-debian-edu.conf file accordingly

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
cef0c2cb by Wolfgang Schweer at 2020-12-17T11:11:26+01:00
Add changelog entries for last commits

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


3 changed files:

- debian/changelog
- etc/sssd/sssd-debian-edu.conf
- share/debian-edu-config/tools/sssd-generate-config


Changes:

=====================================
debian/changelog
=====================================
@@ -1,5 +1,15 @@
 debian-edu-config (2.11.40) UNRELEASED; urgency=medium
 
+  * Rework sssd configuration, thanks to Mike Gabriel. (Closes: #977462)
+    - share/debian-edu-config/tools/sssd-generate-config:
+      Cleanup the included HERE documents (configuration snippets) from entries
+      that are either default ones (like excluding the root user), obsolete, no
+      longer in use or non-existent; also correct the wrong AD related one.
+      As systemd is used, sssd services are now activated via sockets. The
+      'service' configuration stanza needs to be empty to avoid starting
+      permanently running processes. this also aviods spamming syslog with error
+      messages.
+    - Adjust the static etc/sssd/sssd-debian-edu.conf file accordingly.
   * Adjust sbin/debian-edu-ltsp-install:
     - Improve IP address determination for the dedicated LTSP network.
     - Add nameserver stanza to /etc/network/interfaces.


=====================================
etc/sssd/sssd-debian-edu.conf
=====================================
@@ -1,17 +1,10 @@
 [sssd]
 config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam
 domains = intern
 
 [nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
 
 [pam]
-reconnection_retries = 3
 
 [domain/intern]
 ; Using enumerate = true leads to high load and slow response
@@ -29,5 +22,3 @@ ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
 
 krb5_server = kerberos
 krb5_realm = INTERN
-krb5_changepw_principle = kadmin/changepw
-krb5_auth_timeout = 15


=====================================
share/debian-edu-config/tools/sssd-generate-config
=====================================
@@ -109,20 +109,11 @@ cat <<EOF
 # SSSD configuration generated using $0
 [sssd]
 config_file_version = 2
-reconnection_retries = 3
-sbus_timeout = 30
-services = nss, pam, autofs
 domains = $domain
 
 [nss]
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
 
 [pam]
-reconnection_retries = 3
-
-[autofs]
 EOF
 if [ "$kerberosserver" ] ; then
     auth="krb5"
@@ -137,7 +128,7 @@ if ldap_is_active_directory $ldapuri ; then
 
 [domain/$domain]
 ldap_id_mapping = True
-ldap_schema = ad
+id_provider = ad
 EOF
 else
     cat <<EOF
@@ -150,7 +141,6 @@ cache_credentials = true
 id_provider = ldap
 auth_provider = $auth
 chpass_provider = $chpass
-
 ldap_uri = $ldapuri
 ldap_search_base = $ldapbase
 ldap_tls_reqcert = demand
@@ -162,8 +152,6 @@ EOF
 
 krb5_server = $kerberosserver
 krb5_realm = $kerberosrealm
-krb5_changepw_principle = kadmin/changepw
-krb5_auth_timeout = 15
 EOF
     fi
 fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a8b4acf4e032279db2dc2a3c7cf019f90f8e5394...cef0c2cba84f393a8b49365ce819e39f8152bcd0

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/a8b4acf4e032279db2dc2a3c7cf019f90f8e5394...cef0c2cba84f393a8b49365ce819e39f8152bcd0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20201217/6c8c8b1e/attachment-0001.html>

More information about the debian-edu-commits mailing list