Bug 1329508
Summary: | "authconfig --passalgo=sha512 --update" command modifies nsswitch.conf file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | shridhar <sgadekar> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | pkis, sgadekar |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | authconfig-6.2.8-11.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 06:47:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
shridhar
2016-04-22 06:43:16 UTC
System-auth and password-auth must be updated when --passalgo is set, so that is not a bug. Please attach /etc/nsswitch.conf and /etc/sysconfig/authconfig files before and after the 'authconfig --passalgo=sha512 --update' call. Hello, I'm attaching the files as well. Following are results of testing. [root@rhel7-ipa-2 ~]# egrep -v '#' /etc/nsswitch.conf|awk NF passwd: files sss vas4 shadow: files sss vas4 group: files sss vas4 hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss vas4 [root@rhel7-ipa-2 ~]# cat /etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=no USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=yes USESHADOW=yes USEWINBIND=no PASSWDALGORITHM=sha256 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USEDB=no USELDAPAUTH=no IPAV2NONTP=no WINBINDKRB5=no USELOCAUTHORIZE=yes USEECRYPTFS=no USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELDAP=no USENIS=no USEKERBEROS=no USESYSNETAUTH=no USESSSD=yes USEPWQUALITY=yes USEPASSWDQC=no After: [root@rhel7-ipa-2 ~]# egrep -v '#' /etc/nsswitch.conf|awk NF passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus sudoers: files sss vas4 [root@rhel7-ipa-2 ~]# cat /etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=no USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=yes USESHADOW=yes USEWINBIND=no USESSSD=yes USEDB=no FORCELEGACY=no USEFPRINTD=no FORCESMARTCARD=no USELDAPAUTH=no USEPASSWDQC=no IPAV2NONTP=no WINBINDKRB5=no USELDAP=no USEECRYPTFS=no USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no PASSWDALGORITHM=sha512 USEPWQUALITY=yes USEHESIOD=no OK, I can reproduce the problem with these settings - particularly the USESSSD=yes causes the issue. If the authconfig sets up the SSSD in the 'managed' mode - i.e. USEKERBEROS and USELDAP is set to yes and USESSSD is set to no, then this problem does not happen. However if the SSSD is not managed by authconfig and thus USESSSD is set to yes, the file will get overwritten. I can try to work on patch but I cannot guarantee it will get into RHEL-7.3 as this area of the authconfig code is very brittle and I do not want to cause a regression for other customers. I am setting tentatively a devel_ack. Just note that the fix for this bug will make authconfig to not touch nsswitch.conf if it thinks it does not need update. For example if I remove sss from some of the nsswitch.conf entries but not from the 'passwd:' entry and I issue authconfig --enablesssd --update, it will not update nsswitch.conf. The reader for the nsswitch.conf in authconfig is simple and cannot recognize all the various configurations or misconfigurations that someone can invent. In general if there is known-inconsistent state of the authentication and identity configuration and it is needed to make it consistent, it is better to call authconfig --updateall. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2462.html |