Back to bug 1369118
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jakub Hrozek | 2016-08-22 14:41:16 UTC | Summary | ipa-client-install add [domain/shadowutils] in sssd.conf file | Don't enable the default shadowtils domain in RHEL |
| Namita Soman | 2016-08-23 14:13:41 UTC | Keywords | Regression | |
| CC | nsoman | |||
| Aneta Šteflová Petrová | 2016-08-26 06:46:08 UTC | Docs Contact | apetrova | |
| Doc Type | If docs needed, set a value | Known Issue | ||
| Jakub Hrozek | 2016-09-05 10:17:39 UTC | CC | sumenon | |
| Flags | needinfo?(sumenon) | |||
| Sudhir Menon | 2016-09-06 10:48:06 UTC | Flags | needinfo?(sumenon) | |
| Aneta Šteflová Petrová | 2016-09-07 11:27:35 UTC | Flags | needinfo?(jhrozek) | |
| Jakub Hrozek | 2016-09-07 14:46:57 UTC | Doc Text | Cause: SSSD upstream project added the capability of auto-configuring a domain that proxies all requests to /etc/passwd and /etc/groups. This was done in order to make SSSD installed and enabled right after boot, even if the system is not joined to any domain. Consequence: The SELinux rules for this integration prevent the automatic copying of the configuration file from working. Moreover, this feature doesn't integrate well with tools like realmd or ipa-client-install and might confuse administrators. Workaround (if any): edit /etc/sssd/sssd.conf and remove the "shadowutils" domain from the "domains" keyword. Additionaly, the [domain/shadowutils] section can be removed as well. Result: This functionality will be reverted soon. | |
| Flags | needinfo?(jhrozek) | |||
| Libor Miksik | 2016-09-07 15:35:14 UTC | CC | lmiksik | |
| Jakub Hrozek | 2016-09-07 16:19:28 UTC | Status | NEW | MODIFIED |
| Fixed In Version | sssd-1.14.0-36.el7 | |||
| errata-xmlrpc | 2016-09-07 16:24:42 UTC | Status | MODIFIED | ON_QA |
| Marc Muehlfeld | 2016-09-08 08:31:52 UTC | CC | mmuehlfe | |
| Docs Contact | apetrova | mmuehlfe | ||
| Lukas Slebodnik | 2016-09-09 09:35:52 UTC | Flags | needinfo?(sumenon) | |
| Marc Muehlfeld | 2016-09-09 12:26:13 UTC | Doc Text | Cause: SSSD upstream project added the capability of auto-configuring a domain that proxies all requests to /etc/passwd and /etc/groups. This was done in order to make SSSD installed and enabled right after boot, even if the system is not joined to any domain. Consequence: The SELinux rules for this integration prevent the automatic copying of the configuration file from working. Moreover, this feature doesn't integrate well with tools like realmd or ipa-client-install and might confuse administrators. Workaround (if any): edit /etc/sssd/sssd.conf and remove the "shadowutils" domain from the "domains" keyword. Additionaly, the [domain/shadowutils] section can be removed as well. Result: This functionality will be reverted soon. | SSSD default configuration fails to integrate with other services The System Security Services Daemon's (SSSD) `/usr/lib64/sssd/conf/sssd.conf` default configuration file uses a auto-configured domain to proxy all requests to the "/etc/passwd" and "/etc/groups" files. On systems having SELinux disabled or running in *permissive* mode, SSSD copies the default configuration to `/etc/sssd/sssd.conf` if this file does not exist when the daemon is being started. However, the proxy configuration fails to integrate with tools like "realmd" or "ipa-client-install". To work around this problem, modify the `/etc/sssd/sssd.conf` file and remove: * "shadowutils" from the "domains" parameter * the "[domain/shadowutils]" section As a result, tools using SSSD work correctly. |
| Sudhir Menon | 2016-09-14 13:34:40 UTC | Flags | needinfo?(sumenon) | |
| Sudhir Menon | 2016-09-14 14:02:04 UTC | Status | ON_QA | VERIFIED |
| Marc Muehlfeld | 2016-09-30 12:41:04 UTC | Flags | needinfo?(jhrozek) | |
| Jakub Hrozek | 2016-09-30 13:53:30 UTC | Flags | needinfo?(jhrozek) | |
| Marc Muehlfeld | 2016-10-17 09:22:13 UTC | Doc Text | SSSD default configuration fails to integrate with other services The System Security Services Daemon's (SSSD) `/usr/lib64/sssd/conf/sssd.conf` default configuration file uses a auto-configured domain to proxy all requests to the "/etc/passwd" and "/etc/groups" files. On systems having SELinux disabled or running in *permissive* mode, SSSD copies the default configuration to `/etc/sssd/sssd.conf` if this file does not exist when the daemon is being started. However, the proxy configuration fails to integrate with tools like "realmd" or "ipa-client-install". To work around this problem, modify the `/etc/sssd/sssd.conf` file and remove: * "shadowutils" from the "domains" parameter * the "[domain/shadowutils]" section As a result, tools using SSSD work correctly. | The proxy configuration has been removed from the SSSD default configuration file Previously, the System Security Services Daemon's (SSSD) `/usr/lib64/sssd/conf/sssd.conf` default configuration file used an auto-configured domain to proxy all requests to the "/etc/passwd" and "/etc/groups" files. This proxy configuration failed to integrate with other utilities like "realmd" or "ipa-client-install". To fix the incompatibilities, the *[domain/shadowutils]* proxy configuration has been removed and SSSD now works correctly. |
| Doc Type | Known Issue | Bug Fix | ||
| errata-xmlrpc | 2016-11-02 14:25:28 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-11-04 07:20:46 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-11-04 03:20:46 UTC |
Back to bug 1369118