We removed this because it had some options we didn't like long ago.
However, now it's basically all stuff thats already in our base ssh
config.
It causes anoying, but harmless scriptlet messages on updates
and there's no need to remove it to only have it get re-added by
freeipa-client every update.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
On rhel the sssd dropin files (which need to be the same owner/group as
the main sssd.conf file) are root:root, but on fedora they are
root:sssd. So, split out this task to handle the two different cases.
Assisted-by: claude
(I had it generate this, and it actually did a reasonable job I think)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The pagure user needs to be uid 1000 because suexec won't let users with
uid under that suexec. ;(
Also, filter pagure user out in sssd so we get the local user.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This will unify all the handlers to use first uppercase letter for
ansible-lint to stop complaining.
I went through all `notify:` occurrences and fixed them by running
```
set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep
-rlz "$TEXT" . | xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g"
```
Then I went through all the changes and removed the ones that wasn't
expected to be changed.
Fixes https://pagure.io/fedora-infrastructure/issue/12391
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
fix 1900 failures of the following case issue:
`name[casing]: All names should start with an uppercase letter.`
Signed-off-by: Ryan Lerch <rlerch@redhat.com>
On rhel and f41+ there is a sssd user, so we should use that.
If we don't, sssd will change the ownership on restart, meaning we flip
it back and forth each time we run the playbook.
remember to remove this when fedora 40 is all gone from infra
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We change this to root/root and then restart sssd and it changes it
back. So, lets do this right and let it be sssd/sssd.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This reverts commit df1445a64b.
Turns out we do have to enable sshd on client enroll because it passes
'ssh' to services in sssd.conf, which we need to get ssh keys for users.
:( Instead will try another approach.
In RHEL9, ipa-enroll-client by default adds a
/etc/ssh/sshd_config.d/04-ipa.conf file with some sshd configuration.
Almost all of these things are things we already set in our sshd_config,
but one of them causes sshd to enable password (and 2nd factor required)
auth. We don't want this, we only want to allow ssh keys.
So, pass --no-sshd to enrollment and that should prevent it from
messing with our sshd config.
I have also removed this file and reloaded sshd all around.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have a postgres user in ipa to prevent people from making an account
with that name, but we need/want to use a local version of this on
database servers, not the ipa one. We need the local one because the ipa
one is locked and this prevents database backups from working.
(Locked accounts can't run cron jobs).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
