Bug 2019052

Summary: Enforce Authselect Configuration Consistency
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Pavel Březina <pbrezina>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: bcotton, bgilbert, markus.falb, travier, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: FailedQA
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 14:41:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2000936, 2023738, 2023741, 2023743, 2023745, 2034336, 2034360, 2039869    
Bug Blocks: 1982279    

Description Ben Cotton 2021-11-01 14:22:13 UTC 
This is a tracking bug for Change: Enforce Authselect Configuration Consistency
For more details, see: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory

This change wants to make authselect required to configure authentication and identity sources and forcefully update non-authselect configuration to the sssd authselect profile to eliminate any existing non-authselect setups.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Colin Walters 2021-12-20 16:22:25 UTC 
See https://github.com/coreos/fedora-coreos-tracker/issues/1051

We need nss-altfiles in /etc/nsswitch.conf for ostree based systems right now.

This is all the same as https://github.com/authselect/authselect/issues/48 etc.

Perhaps short term we can disable the script aspects of authselect.  

But let's avoid shipping this feature in Fedora 36 until this is working with ostree.  Can you take a look at this and comment?

My strawman proposal here is that rpm-ostree gains a simple way to inject this requirement.

A simple implementation of this would be detecting the presence of /usr/lib64/libnss_altfiles.so.2
or perhaps a "stamp file" like /usr/lib/nss-altfiles/required ?  (We can't rely on querying the rpm database
due to locking issues on traditional RPM and rpm-ostree explicitly denies reading it at all to scripts)
Comment 2 Pavel Březina 2022-01-10 11:59:12 UTC 
The discussion for ostree issue continues in https://bugzilla.redhat.com/show_bug.cgi?id=2034360
Comment 3 Ben Cotton 2022-02-08 21:07:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 36 development cycle.
Changing version to 36.
Comment 4 Ben Cotton 2022-05-10 14:41:45 UTC 
F36 was released today. If this Change did not land in the release, please notify bcotton as soon as possible.