Bug 1392540

Summary: glibc: default nsswitch.conf does not list sss for the automount service
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: glibcAssignee: Florian Weimer <fweimer>
Status: CLOSED ERRATA QA Contact: Sergey Kolosov <skolosov>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: ashankar, cobrown, cww, fweimer, ggatward, mcermak, mnewsome, pfrankli, pvoborni, rcritten, skolosov, tmraz, vmishra
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: glibc-2.17-166.el7 Doc Type: Bug Fix
Doc Text:
Cause: The sss service provider was not present for the automount database in /etc/nsswitch.conf. Consequence: Newly provisioned Red Hat Enterprise Linux 7 systems in an IPA environment do not have functioning autofs support. Fix: Add the sss service provider to the automount database in /etc/nsswitch.conf. Result: autofs in newly provisioned systems works.
Story Points: ---
Clone Of:
: 1581807 1581809 (view as bug list) Environment:
Last Closed: 2017-08-01 18:09:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1298243, 1390370, 1581807    

Description Eugene Keck 2016-11-07 17:29:58 UTC
Description of problem:
Newly provisioned RHEL 7.3 systems in IPA environment do not have functioning autofs due to the 'sss' option not being added to the automount entry of nsswitch.conf.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ipa-client-automount

Actual results:
automount:  files 

Expected results:
automount:  files sss

Additional info:

Comment 1 Petr Vobornik 2016-11-10 11:00:20 UTC
ipa-client-automount doesn't configure nsswitch with sssd, this should happen earlier in ipa-client-install

This is RHEL 7.3 with IPA 4.4 in lab:
  # cat /etc/nsswitch.conf | grep automount
  automount:  files nisplus
  # cat /var/log/ipaclient-install.log | grep authconfig
  2016-07-11T14:55:35Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
  2016-07-11T14:55:37Z DEBUG args=/usr/sbin/authconfig --update --nisdomain test1.abc.idm.lab.eng.brq.redhat.com

And this Fedora F24 with FreeIPA master (almost the same as 4.4):
  # cat /etc/nsswitch.conf  | grep automount
  automount:  files sss
  # cat /var/log/ipaclient-install.log | grep authconfig
  2016-10-27T12:45:34Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
  2016-10-27T12:45:35Z DEBUG args=/usr/sbin/authconfig --update --nisdomain test2.example.test

Both were IPA servers installed with the same options. The fact that it is not pure client but IPA server should not matter given that both runs ipa-client-install. Question is why the automount parts of nsswitch.conf differ?

But, as written elsewhere, running following commands on RHEL machine fixes the issue:
  # authconfig --disablesssd --update 
  # authconfig --enablesssd --update
  # cat /etc/nsswitch.conf | grep automount
  automount:  files sss

Tomas, any ideas why it happens? I can provide installed machine if needed.

Comment 2 Tomas Mraz 2016-11-10 12:01:48 UTC
The authconfig currently does not modify nsswitch.conf if it sss is present on the passwd: line.

I think this should be solved in the default nsswitch.conf in glibc. As it contains sss already for other databases, it should contain it for automount as well.

Comment 3 Tomas Mraz 2016-11-10 12:02:51 UTC
The workaround for already installed machines is to run 'authconfig --updateall'.

Comment 4 Florian Weimer 2016-11-17 11:17:17 UTC
Should we move /etc/nsswitch.conf to its own package so that we can change it with less QE effort?

Any other changes we should fold into the same change?

Comment 15 errata-xmlrpc 2017-08-01 18:09:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.