Bug 1745619

Let's put the packages in the optional channel.

Optional repository/channel is fine with me. Note that this is a RHVH - and as such an appliance. All additional packages/services should not be added/configured by default.

I'm okay with these packages being in the optional repository, but we're registering our hosts to the RHV CDN repositories. My question is, are the optional ones included there by default or would we have to enable them (before installing the packages via yum)? Just verifying.

In el8 we have nss-pam-ldapd but pam_krb5 is not available anymore being obsoleted by SSSD.
For reference: https://docs.pagure.org/SSSD.sssd/users/pam_krb5_migration.html

sssd-krb5-common is included in RHV-H 4.4 image so no need to add it to the optional channel

Discussed this with nss-pam-ldapd and it sorted out that sssd should be used instead.
I see that sssd-ldap is not included in the RHV-H image, so it may make more sense to have it in RHV-H image instead of shipping in optional channel.

Yaniv, can you check with 4.4 images if you're able to login using the SSSD stack included in RHV-H?

Hey Sandro,

Sorry for the late response. Didn't manage to get around to this.

So you're saying that in 4.4 it'd work - where both krb5, provided by SSSD, and the ldapd modules are included in the base image? Or is only the krb5 one included and ldapd would have to be manually installed from a, presumably, available repo?

RHV-TLV is 4.3.8 so I'll have to spin a new env up next week to test it. Any specific 4.4 image/version I should use? Also, what about 4.3 builds, is there no reason to put it there as well?

Update:

So I installed 4.4 (RHVH-4.4-20200507.1) on [1], configured SSSD and LDAP according to [2] and it didn't work.

Default installed SSSD and LDAP packages:
sssd-krb5-common-2.2.3-20.el8.x86_64
sssd-kcm-2.2.3-20.el8.x86_64
python3-sssdconfig-2.2.3-20.el8.noarch
sssd-common-pac-2.2.3-20.el8.x86_64
*sssd-common-2.2.3-20.el8.x86_64*
sssd-tools-2.2.3-20.el8.x86_64
*sssd-ipa-2.2.3-20.el8.x86_64*
sssd-client-2.2.3-20.el8.x86_64
*openldap-2.4.46-11.el8.x86_64*
python3-ldap-3.1.0-5.el8.x86_64

openssl and oddjob are, I believe, essentially optional for this (even though the guide says they're necessary like the other packages), but variants of those tools are available by default as well:
*oddjob-mkhomedir-0.34.4-7.el8.x86_64*
oddjob-0.34.4-7.el8.x86_64
*openssl-1.1.1c-15.el8.x86_64*
openssl-libs-1.1.1c-15.el8.x86_64

The only thing that's missing is the sssd-ldap package.

[3] is the LDAP server I configured [1] to authenticate against and I tried it (SSH with my user/querying LDAP entries), but to no avail. I might've missed something though, so let me know if you think I misconfigured it or something (I can grant you SSH access to the test server, if need be).

[1] dell-pe840-02.dell2.lab.eng.bos.redhat.com
[2] https://access.redhat.com/solutions/4356441
[3] ldap.corp.redhat.com

Test version: rhvh-4.4.1.1-0.20200705.0
I test using stage account.
There is still no "sssd-ldap" in the channel. So move to assigned.

sssd-2.2.3-20.el8 is attached to RHEA-2019:45754, trying to figure out what's wrong with RCM

QE will verify this bug after pushed to stage.

The package "sssd" is existing in the rhvh-4-for-rhel-8-x86_64-rpms repo now.
Bug is fixed, move it to "VERIFIED"

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV Host (redhat-virtualization-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3316

Is that ticket can be closed please?