Bug 1934124

Summary: F34: regressed from authselect to unavailable authconfig, joining AD domain fails: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: awilliam, jhrozek, robatino, sbose, stefw
Target Milestone: ---Keywords: Regression, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: realmd-0.17.0-3.fc35 realmd-0.17.0-3.eln110 realmd-0.17.0-3.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-18 20:38:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1829022    

Description Martin Pitt 2021-03-02 14:52:49 UTC 
Description of problem: Joining an AD domain with realmd in Fedora 34 fails. I have a test AD domain (served by a samba container, but that's not really relevant):

# realm discover
cockpit.lan
  type: kerberos
  realm-name: COCKPIT.LAN
  domain-name: cockpit.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

Joining it directly with adcli works:

  adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator

But joining it with realmd now fails:

# realm join -vU Administrator cockpit.lan# works without an /etc/realmd.conf
 * Resolving: _ldap._tcp.cockpit.lan
 * Performing LDAP DSE lookup on: 10.111.112.100
 * Successfully discovered: cockpit.lan
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator --stdin-password
 * Using domain name: cockpit.lan
 * Calculated computer account name from fqdn: X0
 * Using domain realm: cockpit.lan
 * Sending NetLogon ping to domain controller: 10.111.112.100
 * Received NetLogon info from: f0.cockpit.lan
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MU4p5T/krb5.d/adcli-krb5-conf-S7ouTu
 * Authenticated as user: Administrator
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: COCKPIT
 * Looked up domain SID: S-1-5-21-2893514108-2920310561-1624625319
 * Using fully qualified name: x0.cockpit.lan
 * Using domain name: cockpit.lan
 * Using computer account name: X0
 * Using domain realm: cockpit.lan
 * Calculated computer account name from fqdn: X0
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * A computer account for X0$ does not exist
 * Found well known computer container at: CN=Computers,DC=cockpit,DC=lan
 * Calculated computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Sending NetLogon ping to domain controller: 10.111.112.100
 * Received NetLogon info from: f0.cockpit.lan
 * Set computer password
 * Retrieved kvno '1' for computer account in directory: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Checking host/X0
 *    Added host/X0
 * Checking host/x0.cockpit.lan
 *    Added host/x0.cockpit.lan
 * Checking RestrictedKrbHost/X0
 *    Added RestrictedKrbHost/X0
 * Checking RestrictedKrbHost/x0.cockpit.lan
 *    Added RestrictedKrbHost/x0.cockpit.lan
 * Discovered which keytab salt to use
 * Added the entries to the keytab: X0$@COCKPIT.LAN: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/X0: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/x0.cockpit.lan: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/X0: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/x0.cockpit.lan: FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
/usr/bin/sh: line 1: /usr/sbin/authconfig: No such file or directory
 ! Enabling SSSD in nsswitch.conf and PAM failed.
realm: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.


Indeed there is no authconfig, it was replaced with authselect years ago (https://fedoraproject.org/wiki/Changes/Authselect).


In Fedora 33 with realmd-0.16.3-25.fc33.x86_64 it uses authselect as intended:

# rpm -ql realmd|xargs grep authselect
/usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
/usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir


But in Fedora 34 with realmd-0.17.0-2.fc34.x86_64 it reverted to authconfig:

# rpm -ql realmd|xargs grep authselect
/usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
/usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart


Version-Release number of selected component (if applicable):

realmd-0.17.0-2.fc34.x86_64
adcli-0.9.1-2.fc34.x86_64
authselect-1.2.2-2.fc34.x86_64
sssd-2.4.2-2.fc34.x86_64


How reproducible: Always
Comment 1 Sumit Bose 2021-03-02 16:38:01 UTC 
Hi,

bummer, the authselect patch was downstream only and got lost. Can you try if the scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=62946098 works for you?

bye,
Sumit
Comment 2 Martin Pitt 2021-03-02 18:02:13 UTC 
Sumit, thanks for the quick fix! I tested this package against all our realm/AD tests, and it's working perfectly again 👍
Comment 3 Fedora Update System 2021-03-03 07:50:14 UTC 
FEDORA-2021-750346511c has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2021-03-03 07:56:15 UTC 
FEDORA-2021-9b44822a60 has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2021-03-03 08:49:12 UTC 
FEDORA-2021-c77afd19c8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8
Comment 6 Fedora Update System 2021-03-03 15:47:05 UTC 
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c77afd19c8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Adam Williamson 2021-03-17 19:45:29 UTC 
This seems like a clear Beta blocker. It violates "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain" - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication .
Comment 8 Adam Williamson 2021-03-17 20:11:37 UTC 
+5 votes in https://pagure.io/fedora-qa/blocker-review/issue/313 , marking accepted.
Comment 9 Fedora Update System 2021-03-18 20:38:42 UTC 
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.