Fleet commander: store deskprofiles under user running SSSD

[alexey-tikhonov]

Integrated feature was never oficially released, but the latest development status was:

org.freedesktop.FleetCommanderClient is run as root

and can read profiles doesn't matter files ownership ( https://lists.fedorahosted.org/archives/list/[email protected]/message/IG3MIET5MILWJZRS3JQWMTVOPGNY6XWI/ )

Actual status is that 'FleetCommanderClient' isn't really maintained.

Storing profiles under user that runs SSSD doesn't break anything but removes the need for CAP_SET_?ID and CAP_CHOWN (in this code).

[alexey-tikhonov]

Fails at F40 are unrelated.

[justin-stephenson]

Actual status is that 'FleetCommanderClient' isn't really maintained.

But do users actively use it? I've never used Fleet Commander, is there someone willing to test this PR does not break their working setup?

[alexey-tikhonov]

Actual status is that 'FleetCommanderClient' isn't really maintained.

But do users actively use it?

Depends on definition of "actively" but in general "I don't think so".

I've never used Fleet Commander, is there someone willing to test this PR does not break their working setup?

About 1st patch: I think @stanislavlevin said they use something similar in ALT Linux and this works for them (at least it was my understanding from #5888 (comment))

About 2nd patch: this, of course, does break working config - it will require to set session_provider config option explicitly. This patch does two things:

• session_provider option was simply ignored, it's fixed now
• default changed to 'none'; I don't insist on this, but, imo, it makes sense because vast majority of IPA users do not use fleet commander (IIUC) yet it generates unnecessary LDAP traffic.

[alexey-tikhonov]

Comments from @abbra about changing defaults:

Technically, you can identify this feature by presence of its LDAP schema. This is something easily discoverable but would require storing something in a domain struct, probably. https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/schema.d/75-deskprofile.ldif
I am worried about existing deployments. These tend to be not a single PC style ones, so updating deployed systems is a bit hard.
Changing the code to only query whether the scheme is present at domain online check would achieve pretty much the same but would reduce LDAP traffic as you wanted.

[alexey-tikhonov]

Ok, I removed "default changed to 'none'" part from the 2nd patch and created #7123 to implement run time detection.

[alexey-tikhonov]

For the sake of completeness, "non-privileged" runs are in #7120. But I don't think it matters much because I don't think tests hit those codepaths.

[justin-stephenson]

Ack, thank you.

[pbrezina]

As we talked on slack, the second patch is not needed. The target constructor is only run if the provider is ipa.

[alexey-tikhonov]

As we talked on slack, the second patch is not needed. The target constructor is only run if the provider is ipa.

Removed 2nd patch

[sumit-bose]

Hi,

sorry for miss-reading the patch, I have no further comments, ACK.

bye,
Sumit

[alexey-tikhonov]

Pushed PR: #7119

• master
  • c11734e - Fleet commander: store deskprofiles under user running SSSD