Bug 1001021

Summary:	document when authconfig does not create sssd.conf in the manual page
Product:	[Fedora] Fedora	Reporter:	Bogdan Costescu <bcostescu>
Component:	authconfig	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	19	CC:	tmraz
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-02-18 11:25:00 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Bogdan Costescu 2013-08-26 10:39:25 UTC

In a fresh install of F19 using a kickstart file, authconfig does not create /etc/sssd/sssd.conf. The kickstart file contains the line:

authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --ldapserver=server.example.com --ldapbasedn=o=example.com,c=de --enablekrb5 --krb5kdc=server.example.com --krb5adminserver=server.example.com --krb5realm=example.com --enablekrb5realmdns --enablesssd --enablesssdauth

(where example.com and server.example.com replace actual names). Furthermore, running the same command line after the install with an added "--update" or "--updateall" still doesn't create the file - which led me to file this as an authconfig bug.

This same authconfig kickstart/command line have worked in similar conditions in F17 and before.

Downgrading authconfig package (6.2.6-3.fc19.1) on the F19 install to the initial F18 version (6.2.5-1.fc18.2) doesn't change this behaviour. However downgrading it to initial F17 version (6.2.1-1.fc17) recovers the expected functionality.

The man page of authconfig (from 6.2.6-3.fc19.1) says:

When the configuration settings allow use of SSSD for user information services and authentication, SSSD will be automatically used instead of the legacy services and the SSSD configuration will be set up so there is a default domain populated with the settings required to connect the services.

which is what F17 and before did. The next phrases are however confusing:

The --enablesssd and --enablesssdauth options force adding SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not set up the domain in the SSSD configuration files. The SSSD configuration has to be set up manually.

contradicts the previous phrase. Anyway, they only talk about the domain setting in SSSD config file, and not about (not) creating the SSSD config file. So I'm quite puzzled now as to what the "blessed" behaviour.

Comment 1 Tomas Mraz 2013-08-26 11:20:59 UTC

You need to use the --update option and simply do not use the --enablesssd --enablesssdauth options as these block setting up the sssd.conf file.

The sssd will be implicitly enabled with --enableldap --enablekrb5.

Comment 2 Bogdan Costescu 2013-08-26 13:53:30 UTC

Dropping --enablesssd --enablesssdauth from the above kickstart/command line still doesn't make authconfig generate the sssd.conf file. I forgot to say that I have already tried this both in the kickstart file and on the command line... so I've changed the status back to 'assigned'.

It would be good anyway to mention in the man page that --enablesssd and/or --enablesssdauth block setting up the sssd.conf file.

Comment 3 Tomas Mraz 2013-08-26 14:01:22 UTC

Ah, I did not notice the --enablekrb5realmdns this is actually what prevents authconfig to enable the implicit SSSD support.

I agree that this should be documented.

Comment 4 Bogdan Costescu 2013-08-26 15:29:47 UTC

Hmmmm, dropping --enablekrb5realmdns (tried only command line, not from kickstart file) still doesn't make authconfig generate sssd.conf.

I looked in the source and found the cause, though I don't fully understand the logic. In /usr/share/authconfig/authinfo.py, at line 3242:

                if not self.sssdDomain:
                        if not self.implicitSSSD:
                                # do not create a domain that would be incomplete anyway
                                return True

is triggered and the rest of the method is not executed. If I comment out 'if not self.implicitSSSD: return True', the sssd.conf is successfully generated and the authentication works.

So what makes implicitSSSD be false there and is this test necessary ?

Comment 5 Tomas Mraz 2013-08-26 21:01:42 UTC

If you used --enablekrb5realmdns before, you need to use --disablekrb5realmdns to disable it.

Then self.implicitSSSD will be set and it will work fine.

Comment 6 Bogdan Costescu 2013-08-27 10:24:39 UTC

Indeed, it seems --disablekrb5realmdns is actually necessary, just dropping --enablekrb5realmdns is not enough. With --disablekrb5realmdns, the sssd.conf file is created.

There is no mention of --[enable|disable]krb5realmdns in the man page of authconfig. From the help description I cannot see the link between creation of the sssd.conf file and the use of DNS to find Kerberos realms. Could you please explain the intention ? And why did the behaviour change with respect to at least F17 ? And maybe better still, document this option...

This bug can be closed.

Comment 7 Tomas Mraz 2013-08-27 11:08:35 UTC

The --disablekrb5realmdns would not be needed in kickstart as the default is disabled. You just must not use --enablekrb5realmdns.

I'll keep the bug open for the manual page improvements.

Comment 8 Fedora End Of Life 2015-01-09 22:16:17 UTC

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 9 Fedora End Of Life 2015-02-18 11:25:00 UTC

Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.