This reverts commit df1445a64b.
Turns out we do have to enable sshd on client enroll because it passes
'ssh' to services in sssd.conf, which we need to get ssh keys for users.
:( Instead will try another approach.
In RHEL9, ipa-enroll-client by default adds a
/etc/ssh/sshd_config.d/04-ipa.conf file with some sshd configuration.
Almost all of these things are things we already set in our sshd_config,
but one of them causes sshd to enable password (and 2nd factor required)
auth. We don't want this, we only want to allow ssh keys.
So, pass --no-sshd to enrollment and that should prevent it from
messing with our sshd config.
I have also removed this file and reloaded sshd all around.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a postgres user in ipa to prevent people from making an account
with that name, but we need/want to use a local version of this on
database servers, not the ipa one. We need the local one because the ipa
one is locked and this prevents database backups from working.
(Locked accounts can't run cron jobs).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's a real user 'mock' who we want to allow on ipsilon (so they can
login to anything) and people02 (so they can get to their people space),
but no where else, since we ened the local mock user on places like
builders, etc.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a legit user who has the 'mock' account. So, we allow the ipa
one to override on people02 (since they have a shell account there), but
keep the filer everywhere else where we may run 'mock' the command.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
There's a actual legit person with a fas account of 'mock'
We don't want to use their account, we want to use the local mock user
instead.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need to also add mock to sssd ignore groups/users, but for now since
we are frozen, only do this in staging. After freeze, we should merge
this back into one file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We don't want a custom /etc/hosts installed on every host, so bring back
the conditional.
Improves commit 7a2024398f.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.
Fixes: fedora-infrastructure#9822
Signed-off-by: Nils Philippsen <nils@redhat.com>
Currently /etc/nsswitch.conf has configurations like
passwd: sss files
shadow: files sss
group: sss files
The problem is that to make sure that certain users could not be
created in IPA (like nobody root etc), they were already created but
in a restricted group. In order to allow sss to work for postfix, nfs,
nobody and such, the sssd.conf needs to ignore them in the nss
section. This adds a file which will do that.
Signed-off-by: Stephen Smoogen <smooge@smoogespace.com>
If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).
Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.
Signed-off-by: Nils Philippsen <nils@redhat.com>
This requires the canonical names of IPA servers to be mapped to their
IP addresses on the VPN as well as specifying the IPA server explicitly
when enrolling clients.
Signed-off-by: Nils Philippsen <nils@redhat.com>
SSSD caches information, some types for hours by default. When changing
anything in IPA pertaining to a host this role is applied to, clean out
the caches on the host so the changes are effective immediately.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `fas_client` role installed a version of nsswitch.conf which doesn't
delegate to sss. For some reason, ipa-client-install doesn't ensure this
is brought back. This prepends `sss` to lines where it would be missing
otherwise. Also, run the cleanup tasks before the enrollment task.
Signed-off-by: Nils Philippsen <nils@redhat.com>
