tune_sssd.sh: enable GSSAPI in ssh_config (allow Kerberos by default)

50be691b · Vitaly Lipatov · 5faa2c24 · 50be691b
Commit 50be691b authored Jun 28, 2019 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 5 deletions

tune_sssd.sh dc-client/tune_sssd.sh +6 -5

No files found.
--- a/dc-client/tune_sssd.sh
+++ b/dc-client/tune_sssd.sh
@@ -21,7 +21,7 @@ fi

 epm assure bind-utils || fatal
 # Get REALM (needed for sssd tuning only) from DNS
-REALM=$(host -t txt _kerberos | sed -e 's|.*"\(.*\)".*|\1|')
+REALM=$(host -t txt _kerberos | sed -e 's|.*"\(.*\)".*|\1|') #"
 if [ -z "$REALM" ] ; then
    if [ -n "$1" ] ; then
        REALM="$1"
@@ -168,15 +168,16 @@ serv sssd on

 case $(distr_info -d) in
    ALTLinux)
-        # TODO: fix roleadd
        # TODO: use common domain groups
+        # TODO: check libnss-role version
        epm assure rolelst libnss-role
-        if ! rolelst | grep etersysadmin ; then
-            echo "etersysadmin: wheel" >> /etc/role
-        fi
+        roleadd etersysadmin wheel
        ;;
 esac

+subst "s|^#   GSSAPIAuthentication no|    GSSAPIAuthentication yes|" /etc/openssh/ssh_config
+subst "s|^#   GSSAPIDelegateCredentials no|    GSSAPIDelegateCredentials yes|" /etc/openssh/ssh_config
+
 echo "Done. Don't bother about DNS errors above"
 echo "Check https://www.altlinux.org/SSSD/AD for detailed description."
 exit