So, we need a bit more logic here.
We want to use the vpn hosts file only if something is on the vpn and
it's also not in iad2. In iad2 we want the normal hosts file.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This isn't very clever, but it should work and be easily understandable.
We likely want to come up with a better way to do these hosts files
entirely, but it can wait until after freeze.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Basically, we are now installing a small wrapper in /usr/local/bin
which just echoes to stdout what should be in the authorized_keys
file for that user.
That content is generated by retrieving the ssh key from sssd via
the command sss_ssh_authorizedkeys as well as the usual ssh way to
restrict the action an user/key can do: command="...".
In this case, we're setting a couple of environment variable that
are needed later on for things to work properly as well as only
allow the user to call the aclchecker.py script provided by pagure.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
We don't want a custom /etc/hosts installed on every host, so bring back
the conditional.
Improves commit 7a2024398f.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Move the vpn ./. base logic from the ipa/client role into the hosts
role, so that applying the latter doesn't apply the base profile on VPN
hosts.
Fixes: fedora-infrastructure#9822
Signed-off-by: Nils Philippsen <nils@redhat.com>
Skip over home directories which are unowned or owned by someone else
than the user, or if the user themselves is unknown, and report.
Signed-off-by: Nils Philippsen <nils@redhat.com>
With IPA, enumerating users isn't easy and potentially expensive. Loop
over home directories instead. In the course, use pathlib.Path instead
of legacy interfaces for paths and pwd.getpwnam() to get information
about users instead of spawning external pipes.
Signed-off-by: Nils Philippsen <nils@redhat.com>
