Hello,
Is it possible to create new tag with legacy fact fix (please check the attachement) ?
Thanks.

Florent.

We should only support the latest two major releases of Puppet and drop support for Puppet 4.

Is there a reason for ensuring that sssd.conf is configured before authconfig-mkhomedir Exec? https://github.com/sgnl05/sgnl05-sssd/blob/master/manifests/init.pp#L238

In the background authconfig utility will modify sssd.conf. Basically puppet will in next modify the contents of sssd.conf again. The way I see module should ensure that sssd service must only run after the authconfig command has set.

CloudLinux for all intents and purposes can be treated the same as CentOS for this module. Any chance of getting it added into that case statement alongside CentOS?

Hi,

I'm interested in using your module and would like to know if you would accept a refactor to remove the anchor and params patterns. The current design needlessly separates out the classes, where each class should encapsulate specific functionality as opposed to just a piece of functionality that is glued together with the anchor pattern. It makes the code harder to read and understand. If you are open to this, I would be happy to do the refactor and submit more spec tests.

Testing your module on Centos 6. System does not get in convergent state in a single run. It seems that not all the changes have been applied on a sssd.conf during the first Puppet run. Services array is geting default values and not the values defined in a config hash.

(/Stage[main]/Sssd::Config/File[sssd_config_file]/content) -services = nss, pam, autofs
(/Stage[main]/Sssd::Config/File[sssd_config_file]/content) +services = nss,pam

When provisioning a CentOS 7.2 vagrant box I get the following error:

Error: Could not enable messagebus: 
Error: /Stage[main]/Sssd::Service/Service[messagebus]/ensure: change from stopped to running failed: Could not enable messagebus: 
Warning: /Stage[main]/Sssd::Service/Service[sssd]: Skipping because of failed dependencies
Warning: /Stage[main]/Sssd/Anchor[sssd::end]: Skipping because of failed dependencies

Running yum update on the box seem to fix the problem and so does setting

service_dependencies = ['dbus']

After looking around I have stumbled upon this: https://bugzilla.redhat.com/show_bug.cgi?id=1184960. Could that be the cause of my problem? If so, should the default value for service_dependencies be ['dbus'] rather than ['messagebus']? Is it safe to have it as an empty array?

I get the following error when running on OracleLinux:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, operatingsystem is which is not supported at /etc/puppetlabs/code/environments/production/modules/sssd/manifests/params.pp:43:11

as the params.pp have missing OracleLinux part:

$ diff params.pp.orig params.pp
45c45
< 'RedHat', 'CentOS': {

    'RedHat', 'CentOS', 'OracleLinux': {

Regards,
Tomasz

I was able to get this module to work with centos8.

The problem seems to be some Yaml files for Centos are missing.

create mode 100644 data/os/Centos/8.yaml

sssd::extra_packages:

'authselect'
'oddjob-mkhomedir'
sssd::manage_oddjobd: true

sssd::enable_mkhomedir_flags:

'enablemkhomedir'
sssd::disable_mkhomedir_flags: []

Prior to making this change, I saw this on Centos8.
[root@lpe2d ~]# puppet agent -tv
Notice: Local environment: 'production' doesn't match server specified node environment 'development', switching agent to 'development'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for lpe2d.chesapeakebay.net
Info: Applying configuration version 'lpe1p-development-36bc30c2174'
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: usage: authconfig [-h] [--enablenis] [--disablenis] [--nisdomain ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--nisserver ] [--enableldap] [--disableldap]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableldapauth] [--disableldapauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--ldapserver ] [--ldapbasedn ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableldaptls] [--disableldaptls] [--enableldapstarttls]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableldapstarttls] [--enablerfc2307bis]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablerfc2307bis] [--enablesmartcard]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablesmartcard] [--smartcardaction <0=Lock|1=Ignore>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablerequiresmartcard] [--disablerequiresmartcard]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablefingerprint] [--disablefingerprint] [--enablekrb5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablekrb5] [--krb5kdc ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--krb5adminserver ] [--krb5realm ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablekrb5kdcdns] [--disablekrb5kdcdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablekrb5realmdns] [--disablekrb5realmdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbind] [--disablewinbind] [--enablewinbindauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindauth] [--winbindjoin ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbindkrb5] [--disablewinbindkrb5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbworkgroup ] [--enablesssd] [--disablesssd]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablesssdauth] [--disablesssdauth] [--enablecachecreds]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablecachecreds] [--enablepamaccess]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablepamaccess] [--enablemkhomedir]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablemkhomedir] [--enablefaillock] [--disablefaillock]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passminlen ] [--passminclass ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passmaxrepeat ] [--passmaxclassrepeat ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablereqlower] [--disablereqlower] [--enablerequpper]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablerequpper] [--enablereqdigit] [--disablereqdigit]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablereqother] [--disablereqother] [--nostart]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--updateall] [--update] [--kickstart] [--test] [--probe]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--savebackup ] [--restorebackup ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--restorelastbackup] [--enablecache] [--disablecache]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enableecryptfs] [--disableecryptfs] [--enableshadow]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableshadow] [--useshadow] [--enablemd5] [--disablemd5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--usemd5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--passalgo <descrypt|bigcrypt|md5|sha256|sha512>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--ldaploadcacert ] [--smartcardmodule ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbsecurity <user|server|domain|ads>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbrealm ] [--smbservers ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmaprange ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmapuid ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--smbidmapgid ] [--winbindseparator <>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--winbindtemplatehomedir </home/%D/%U>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--winbindtemplateshell </bin/false>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--enablewinbindusedefaultdomain]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindusedefaultdomain] [--enablewinbindoffline]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablewinbindoffline] [--enablepreferdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablepreferdns] [--enableforcelegacy]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disableforcelegacy] [--enablelocauthorize]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablelocauthorize] [--enablesysnetauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: [--disablesysnetauth] [--faillockargs ]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: authconfig: error: unrecognized arguments: with-mkhomedir
Error: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0]
Error: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] (corrective)

Howdy, I'm looking at this module and trying to figure out the best path forward. Currently this module sets all the required bits for SSSD and it's config, however we need some additional config set in the /etc/pam.d/password-auth file. As this module already runs an exec statement using authselect, would the maintainers also be amicable to supporting running the /usr/bin/authselect apply-changes command

As I am cleaning my puppet code, I came across deprecation warnings, emitted by stdlib, originating from sssd.
/etc/puppetlabs/code/environments/test/modules/sssd/manifests/init.pp line 73 calls 'validate_re', which is depricated: https://github.com/puppetlabs/puppetlabs-stdlib#validate_re

Could be "fixed" using something like:
validate_legacy("Optional[String]", "validate_re", "Value to be validated", ["."])
which would break puppet3 compatibility.

Low priority, imho.

I got the error:
Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Duplicate declaration: Package[libpam-runtime] is already declared at (file: /etc/puppetlabs/code/environments/production/modules/webmin/manifests/install.pp, line: 5); cannot redeclare (file: /etc/puppetlabs/code/environments/production/modules/sssd/manifests/init.pp, line: 127) (file: /etc/puppetlabs/code/environments/production/modules/sssd/manifests/init.pp, line: 127, column: 5) on node foxtrot.theclarkhome.com

Both modules use ensure_packages to try and avoid this problem, and I suspect this error is caused by the modules using different parameter to ensure_packages, in particular the 'require' attribute below.

if $extra_packages {
    ensure_packages($extra_packages,
      {
        ensure  => $extra_packages_ensure,
        require => Package[$sssd_package],
      }
    )
  }

I think that the 'require' is redundant but I wanted to get your view before a I created a pull request to make this change.

please upgrade package dependencies for Puppet 6 support.

this means allowing stdlib 6.x.x

Hi,
the module currently does not support Fedora 28 and 29. Since Fedora 28 authconfig is deprecated and authselect is used.
I can provide some of the support but my knowledge of spec tests is zero.

Hey, any support coming for suse (sles) ??

Hi,

I've found an issue with CentOS 8.
At line 299 of init.pp, you have to use another fact than $::facts['os']['name'] == 'Redhat' to make it work on CentOS 8 :

case $::osfamily {                                                                                     

  'RedHat': {                                                                                          
    if ($::facts['os']['name'] == 'Fedora' and versioncmp($::facts['os']['release']['major'], '28') >= 0) or
    ( $::facts['os']['name'] == 'Redhat' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {

Something like :
( $::facts['os']['family'] == 'Redhat' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {

What do you think ? Should I submit a pull request, or somebody wants to fix it ?

Cheers
Yvan

This module has been stable for awhile, could we have a version 1.0.0 release?

Hi,
The latest version 2.2.1 got fixed on Ubuntu 14.04 and 16.04, but not longer works on my Debian 9 machines:(

I think for Debian family OSes it will be easier just ignore the OS release, as I think sssd is part of all currently supported Debian and Ubuntu releases.

Regards,
Tomasz

The current master support SUSE, and Puppet versions greater than 5, which is needed in my environment.

Please upload the newest build to puppet forge, so I can install.

Thank you. 💃

We currently support EOL platforms including EL 5 and Fedora. Suggest that we leave the metadata in place as well as the hiera data for those platforms, though no longer claim to support them. This should be documented in the README. Tests for those platforms should be removed from the code. The manifests should not fail() on unsupported platforms and instead use warning().

Curious if we can get an update for PE 2021.7 LTS (PE 2023 now available as well) and Puppet 7.

puppetlabs-stdlib dependencies should also be updated.

Assuming this recipe:

class role_base::sss {
  class {'sssd':
    config => {
      'sssd' => {
        'domains'             => 'example.com',
        'services'            => ['nss', 'pam', 'sudo', 'ssh'],
      },
      'domain/axis-flight-training-systems.at' => {
        'access_provider'                => 'ipa',
        'auth_provider'                  => 'ipa',
        'cache_credentials'              => false,
        'case_sensitive'                 => false,
        'krb5_store_password_if_offline' => true,
        'chpass_provider'                => 'ipa',
        'debug_level'                    => '1',
        'default_shell'                  => '/bin/bash',
        'ipa_domain'                     => 'example.com',
        'ipa_hostname'                   => $fqdn,
        'ipa_server'                     => ['_srv_', 'ipa.example.com'],
        'fallback_homedir'               => '/home/%u',
        'id_provider'                    => 'ipa',
        'ldap_tls_cacert'                => '/etc/ipa/ca.crt',
        'sudo_provider'                  => 'ipa',
        'enumerate'                      => 'true',
        'cache_credentials'              => 'true',
      },
      'nss' => {
        'memcache_timeout'  => '600',
        'homedir_substring' => '/Users',
      },
      'pam' => {
        'offline_credentials_expiration' => '90',
      }
    }
  }
}

credential caching is set to true, the configured value is simply ignored.

When module is used on a system without sssd installed, it tries to create config before installing sssd (and failing, as /etc/sssd dir is absent)

Error: /Stage[main]/Sssd::Config/File[sssd.conf]/ensure: change from absent to present failed: Could not set 'present' on ensure: No such file or directory @ dir_s_mkdir

Work-around: create dir /etc/sssd or ensure it's existance in another, earlier used, module.
Fix would be not to create config when package isn't installed or create dir as well.

(tested on 0.3.0 and 2.1.0 version of module)

It would be nice to have travis ci auto deploy new versions to the forge, whenever we create a new tag.
I have seen a few modules around that do this. It seems like travis has some fairly easy setup for this.

Hello,
I want to use the Hiera way with this module, so i created a hiera yaml for my needs. But i am unable to use
the data. When i use include sssd only the default data from the module is used. It would be great if someone can help me!
(I have to use the 1.x branch with Puppet 3.8.7)

stdlib is at the version 6.4.0 and your dependencies require (>= 5.2.0 < 6.0.0).

puppet module install --target-dir /etc/puppetlabs/code/modules/ sgnl05-sssd

Notice: Preparing to install into /etc/puppetlabs/code/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Error: Could not install module 'sgnl05-sssd' (???)
No version of 'sgnl05-sssd' can satisfy all dependencies
Use puppet module install --ignore-dependencies to install only this module

After installing with --ignore-dependencies, your modules seems to work just fine. Please update your dependencies. Thank you.

Why is there no notify or subscribe link between the File resource for sssd.conf and the Service sssd?

When choosing

sssd::config:
  'domain/ad.example.com':
    'access_provider': '**ad**'

How do i define ad_access_filter?

Warning: Defining "data_provider": "hiera" in metadata.json is deprecated. It is ignored since a 'hiera.yaml' with version >= 5 is present
(in /etc/puppetlabs/code/environments/production/modules/sssd/metadata.json)

Removal of the data_provider on line 16 of metadata.json is the only thing that needs to be done

When trying to set a default value for the smart parameter config, there is a warning says that the pre-populated config is invalid (seen below). When it is saved as a string I can save the form, but the puppet agent complains that the parameter 'config' expects a Hash value. From my limited understanding of the hashed key-pairs, these look ok.

Am I missing something?

{
    'sssd'               => {
      'domains'             => $::domain,
      'config_file_version' => 2,
      'services'            => ['nss', 'pam'],
    },
    "domain/${::domain}" => {
      'access_provider'    => 'simple',
      'simple_allow_users' => ['root'],
    },
  }

Hi,
The latest version 2.2.0 works again on Oracle Linux :) but is broken on Ubuntu now:(

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, osfamily Debian's os.release.major is <14.04> and must be 7 or 8 for Debian and 14 or 16 for Ubuntu.

Error: /Stage[main]/Sssd::Config/Exec[authconfig-mkhomedir]: Could not evaluate: Permission denied @ dir_chdir - /home/peter

It's a known issue when home directories won't let root traverse them (execute privileges).
IOW, if the home directory is 755 the sssd module will successfully run but if a home directory has permissions 754 or 750, the (all) users permission will prevent puppet's root user from accessing the folder.
https://tickets.puppetlabs.com/browse/PUP-5915

The released version of this module in Puppet Forge is broken for Oracle Linux 8. It appears it has been fixed in the master branch (#105 and #106). Can we expect a new version in Puppet Forge in the near future?

Is there a kerberos support in the road map? I am looking for a sssd + kerberos only for ubuntu and no ldap

When upgrading from v0.3.0 -> v0.4.0 I encountered a couple odd issues. It looks like sssd.conf received some extra line spacing to separate the sections (which is fine) resulting in a restart of messagebus, sssd and oddjobd (which also seems fine). Unfortunately it resulted in a couple error conditions for RHEL7:

1. ssh logins were suddenly very slow, i.e. >25 seconds to connect. Sudo commands were equally slow.
2. NetworkManager started spewing errors
   • could not create org.freedesktop.DBus proxy
   • GLib-GIO-CRITICAL **: Error while sending AddMatch() message

I was able to resolve both issues with systemctl restart systemd-logind NetworkManager. I was able to reproduce the issue manually with systemctl restart messagebus sssd oddjobd so this may be a system related bug/error. I'm not sure if there is even anything we could do from a puppet module perspective to deal with this condition, but I thought you should be aware.

We use another module that installs the package but does minimal configuration. Since there is no option to skip package installation, we are getting duplicate resource errors. (Using ensure_packages would solve it without major changes.)

I'm afraid I no longer have the time to manage this project. There's also an issue with the Travis-CI integration which I just don't have the knowledge to fix.

If anyone would like to take it over please let me know. Maybe this project could/should be transferred to Vox Pupuli?

Hi,

please update the dependency for above from:
"dependencies": [ {"name":"puppetlabs/stdlib","version_requirement":">= 5.2.0 < 6.0.0"} ]
to
"dependencies": [ {"name":"puppetlabs/stdlib","version_requirement":">= 5.2.0 < 7.0.0"} ]

Thanks
Kristian

@edestecd @sgnl05 I'm interested in your code but can't use it because there are no licensing terms. Could you add a license? Suggest GPLv3 or Apache v2.

Target OS: RHEL6

==> wls: Debug: Executing: '/bin/rpm -q sssd --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n''
==> wls: Debug: Executing: '/usr/bin/yum -d 0 -e 0 -y list sssd'
==> wls: Debug: Packagesssd: Ensuring => present
==> wls: Debug: Executing: '/usr/bin/yum -d 0 -e 0 -y install sssd'
==> wls: Notice: /Stage[main]/Sssd::Install/Package[sssd]/ensure: created
==> wls: Debug: /Stage[main]/Sssd::Install/Package[sssd]: The container Class[Sssd::Install] will propagate my refresh event
==> wls: Debug: Class[Sssd::Install]: The container Stage[main] will propagate my refresh event
==> wls: Debug: Executing: '/sbin/service messagebus status'
==> wls: Debug: Executing: '/sbin/chkconfig messagebus'
==> wls: Debug: Executing: '/sbin/service messagebus start'
==> wls: Error: Could not start Service[messagebus]: Execution of '/sbin/service messagebus start' returned 1: messagebus: unrecognized service

The service messagebus becomes available after installation of the dbus package.

The module always tries to install the package sssd-32bit on Suse systems. But the package only exists on 64-bit systems, not on 32-bit systems. Leads to this error:

change from absent to present failed: Execution of '/usr/bin/zypper --quiet install --auto-agree-with-licenses --no-confirm --name sssd-32bit' returned 104: Package 'sssd-32bit' not found

Line 95 of init.pp is in error. It says "Amazon" when it should say "RedHat" .

As a consequence, Amazon would never work, and RedHat allows version 5 through when it should not.

It would be nice though if the product worked with RedHat 8 as well.

Hi,
We are using this module together with ghoneycutt/pam and it works fine, but it keeps constantly changing the common-*-pc files. It's annoying cause happens on every puppet agent run. It always applies the same changes.

Looks like it's just after:

Notice: /Stage[main]/Sssd/Exec[pam-config -a --sss]/returns: executed successfully
Notice: /Stage[main]/Pam/File[pam_common_auth_pc]/content:

I will have a look tomorrow at the code and see if I can help troubleshooting.
Best regards,

Currently, this module only supports stdlib < 7.0.0 which is pretty old now. Support should be added for the highest possible version of stdlib