Bug 1537246

Summary: Make authselect default tool instead of authconfig
Product: [Fedora] Fedora Reporter: Jan Kurik <jkurik>
Component: Changes TrackingAssignee: Pavel Březina <pbrezina>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: awilliam, cglombek, pbrezina
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ChangeAcceptedF28,SystemWideChange
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-02 12:04:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1560046    
Bug Blocks:    

Description Jan Kurik 2018-01-22 19:04:06 UTC 
This is a tracking bug for Change: Make authselect default tool instead of authconfig
For more details, see: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault

Replace authconfig with authselect and make authselect a default tool to configure PAM and nsswitch.conf. A compatibility tool will help with transition period from authconfig to authselect.
Authselect is a tool to select system authentication and identity sources from a list of supported profiles and it is available to users since Fedora 27. Authselect is designed to be a replacement for authconfig but it takes a different approach to configure the system. Instead of letting the administrator build the pam stack with a tool (which may potentially end up with a broken configuration), it ships several tested stacks (profiles) that solve primary supported use cases and are well tested and supported. At the same time, some obsolete features of authconfig are not supported by authselect. Additionally, authselect is written in C and has a small footprint which allows it to be also part of minimal installations.
Comment 1 Jan Kurik 2018-02-20 14:10:01 UTC 
On 2018-Feb-20, we have reached the Fedora 28 Change Checkpoint: Completion deadline (testable).

At this point, all accepted changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be enabled at Change Completion deadline as well.

Change tracking bug should be set to the MODIFIED state to indicate it achieved completeness.

Incomplete and non testable Changes will be reported to FESCo for 2018-Feb-23 meeting.
Comment 2 Fedora End Of Life 2018-02-20 15:38:47 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 3 Pavel Březina 2018-02-21 09:15:45 UTC 
Authselect 0.3 was release in F28 yesterday. It fixed all the issues reported by community.

Fprintd and realmd no longer depends on authconfig but uses authselect.
Anaconda has patches ready but needs to push them to dist git.
IPA is still under development but it can work through authselect-compat which provides minimum backwards compatibility with authconfig.
Comment 4 Jan Kurik 2018-03-06 08:57:36 UTC 
On 2018-Mar-08 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 28 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.

Thanks, Jan
Comment 5 Pavel Březina 2018-03-16 09:27:14 UTC 
I'm sorry for late answer, I thought I already switched it to ON_QA.

Authselect is ready. Fprintd, realmd and anaconda dependencies were changed. IPA changes are still under development, but it will work without the changes through authselect-compat.