Bug 1324207

Summary: "authconfig --smbsecurity=user --updateall" doesn't update smb.conf
Product: Red Hat Enterprise Linux 6 Reporter: Brian Schonecker <bschonec>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 6.7CC: bschonec, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1339636 (view as bug list) Environment:
Last Closed: 2016-06-15 09:28:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brian Schonecker 2016-04-05 19:53:49 UTC 
Description of problem:

The "--updateall" parameter of authconfig doesn't update /etc/samba/smb.conf file but "--update" *does* update smb.conf.

Version-Release number of selected component (if applicable):

Name        : authconfig                   Relocations: (not relocatable)
Version     : 6.1.12                            Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Wed 25 Feb 2015 04:35:09 AM EST


How reproducible:

Check the value of "security = " in /etc/samba/smb.conf:

[root@example bschonec]# grep security /etc/samba/smb.conf | egrep -v '^;|^#'
   security = user
[root@example bschonec]# 

# The current value is "user" (value doesn't matter in this context, we just need to note the value).
# Change the value:

[root@example bschonec]# authconfig --smbsecurity=ads  --update
Starting nslcd: [  OK  ]
[root@example bschonec]# grep security /etc/samba/smb.conf | egrep -v '^;|^#'
   security = ads

# You can see that security has been updated to 'ads'.
# Now set it back to 'user' just to show that '--update' is working.

[root@example bschonec]# authconfig --smbsecurity=user  --update
Starting nslcd: [  OK  ]
[root@example bschonec]# grep security /etc/samba/smb.conf | egrep -v '^;|^#'
   security = user

# You can see that security as been updated to 'user'.
# Now use the '--updateall'

[root@example bschonec]# authconfig --smbsecurity=ads  --updateall
Starting oddjobd: [  OK  ]
^[[AStarting nslcd: [  OK  ]
[root@example bschonec]# grep security /etc/samba/smb.conf | egrep -v '^;|^#'
   security = user

# You can see that security was NOT updated with the '--updateall'.
# Authconfig didn't change smb.conf at all.


Actual results:

security = <value> not updated.  smb.conf file not modified with '--updateall' option.

Expected results:

security = <value> should be updated in smb.conf when envoking '--updateall' parameter of authconfig.

Additional info:

It makes sense to me that you SHOULD be able to change the values of the parameters even if you don't intend to use those parameters.  Case in point:  I use Puppet to manage the authconfig settings on my servers. I don't use SMB or SSSD but I do need to set them to a known value so that my servers pass audits (PCI, HIPAA, etc.).  It would make sense that you can't/shouldn't change values if you don't intend to use SSSD/Winbind but enabling something (in my case, something that will break authorization completely) and then disabling it right away just to set the values seems counterintuitive -- especially since --update works and --updateall doesn't.

Yes, I could use '--update' in my puppet module but that would break backwards compatibility for everyone in the Puppet community that uses the modules (https://github.com/bschonec/puppet-authconfig.git).
Comment 1 Brian Schonecker 2016-04-05 20:01:19 UTC 
Edit:  It would make sense that you CAN/SHOULD be able to change values....
Comment 3 Tomas Mraz 2016-04-06 07:27:51 UTC 
Can you please report the issue via the regular support channels so it can be prioritized properly?

http://www.redhat.com/support
Comment 4 Tomas Mraz 2016-06-15 09:28:50 UTC 
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.