search

sgnl05 / sgnl05-sssd

Puppet module for SSSD
https://forge.puppet.com/sgnl05/sssd
GNU General Public License v3.0
17 stars 76 forks source link

How to get this to work with Centos8 #112

Closed zeekus closed 3 years ago

zeekus commented 3 years ago

I was able to get this module to work with centos8.

The problem seems to be some Yaml files for Centos are missing.

create mode 100644 data/os/Centos/8.yaml

sssd::extra_packages:

'authselect' 'oddjob-mkhomedir' sssd::manage_oddjobd: true

sssd::enable_mkhomedir_flags:

'enablemkhomedir' sssd::disable_mkhomedir_flags: []

Prior to making this change, I saw this on Centos8. [root@lpe2d ~]# puppet agent -tv Notice: Local environment: 'production' doesn't match server specified node environment 'development', switching agent to 'development'. Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Info: Caching catalog for lpe2d.chesapeakebay.net Info: Applying configuration version 'lpe1p-development-36bc30c2174' Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: usage: authconfig [-h] [--enablenis] [--disablenis] [--nisdomain ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--nisserver ] [--enableldap] [--disableldap] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableldapauth] [--disableldapauth] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--ldapserver ] [--ldapbasedn ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableldaptls] [--disableldaptls] [--enableldapstarttls] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableldapstarttls] [--enablerfc2307bis] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablerfc2307bis] [--enablesmartcard] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablesmartcard] [--smartcardaction <0=Lock|1=Ignore>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablerequiresmartcard] [--disablerequiresmartcard] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablefingerprint] [--disablefingerprint] [--enablekrb5] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablekrb5] [--krb5kdc ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--krb5adminserver ] [--krb5realm ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablekrb5kdcdns] [--disablekrb5kdcdns] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablekrb5realmdns] [--disablekrb5realmdns] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbind] [--disablewinbind] [--enablewinbindauth] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindauth] [--winbindjoin ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbindkrb5] [--disablewinbindkrb5] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbworkgroup ] [--enablesssd] [--disablesssd] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablesssdauth] [--disablesssdauth] [--enablecachecreds] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablecachecreds] [--enablepamaccess] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablepamaccess] [--enablemkhomedir] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablemkhomedir] [--enablefaillock] [--disablefaillock] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passminlen ] [--passminclass ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passmaxrepeat ] [--passmaxclassrepeat ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablereqlower] [--disablereqlower] [--enablerequpper] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablerequpper] [--enablereqdigit] [--disablereqdigit] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablereqother] [--disablereqother] [--nostart] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--updateall] [--update] [--kickstart] [--test] [--probe] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--savebackup ] [--restorebackup ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--restorelastbackup] [--enablecache] [--disablecache] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableecryptfs] [--disableecryptfs] [--enableshadow] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableshadow] [--useshadow] [--enablemd5] [--disablemd5] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--usemd5] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passalgo <descrypt|bigcrypt|md5|sha256|sha512>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--ldaploadcacert ] [--smartcardmodule ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbsecurity <user|server|domain|ads>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbrealm ] [--smbservers ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmaprange ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmapuid ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmapgid ] [--winbindseparator <>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--winbindtemplatehomedir </home/%D/%U>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--winbindtemplateshell </bin/false>] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbindusedefaultdomain] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindusedefaultdomain] [--enablewinbindoffline] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindoffline] [--enablepreferdns] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablepreferdns] [--enableforcelegacy] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableforcelegacy] [--enablelocauthorize] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablelocauthorize] [--enablesysnetauth] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablesysnetauth] [--faillockargs ] Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: authconfig: error: unrecognized arguments: with-mkhomedir Error: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] Error: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] (corrective)

evan-chaney commented 3 years ago

This didn't work for me, adding an extra line to the conditional in init.pp checking for RHEL8/Fedora28 that grabbed CentOS8 did though. It's possible things changed since you opened this issue. I'm on 3.1.0 from Puppet-forge.

mikehurn commented 3 years ago

To get it to work for me I had to set crypto policies to LEGACY update-crypto-policies --set LEGACY With a reboot As I am working with an older AD server.

Then update the $::osfamily block. First I changed 'Redhat' to 'CentOS' I did consider changing the == 'Redhat' to in ['RedHat', 'CentOS'] But that would give no overall benefit in my environment. Therefor a simple delete is all that was necessary ;) case $::osfamily { 'RedHat': { if ($::facts['os']['name'] == 'Fedora' and versioncmp($::facts['os']['release']['major'], '28') >= 0) or ( versioncmp($::facts['os']['release']['major'], '8') >= 0) {

( $::facts['os']['name'] == 'CentOS' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {

  #( $::facts['os']['name'] == 'Redhat' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {
    if $ensure == 'present' {
zeekus commented 3 years ago

I abandoned Centos8 and went back to Centos7 due to the fact Centos8 is EOL in Dec 2021.