Bug 2094400

Summary: [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf
Product: Red Hat Enterprise Linux 9 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.1CC: abokovoy, ipa-qe, myusuf, rcritten, sumenon, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.10-1.el9 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 2068088 Environment:
Last Closed: 2022-11-15 10:00:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063750, 2068088    
Bug Blocks:    

Description Florence Blanc-Renaud 2022-06-07 14:00:36 UTC 
+++ This bug was initially created as a clone of Bug #2068088 +++

Description of problem:
ipa-client-install should provide an option allowing to configure subid managed at IPA level.
Currently, ipa-client-install configures the sssd profile which in turns customizes /etc/nsswitch.conf but the subid database does not use IPA and relies only on the local files /etc/subuid and /etc/subgid.

As it may not be relevant in all cases to configure "subid: sss", it would be nice to have a new option, and keep the default behavior without this option (=do not configure subuid: sss).

Version-Release number of selected component (if applicable):
subid feature was introduced in ipa-4.9.8

How reproducible:
Always

Steps to Reproduce:
1. install ipa client with ipa-client-install
2. grep subid /etc/nsswitch.conf

Actual results:
subid not configured to use sss

Expected results:
ipa-client-install should provide an option to configure NSS with subid: sss


--- Additional comment from Florence Blanc-Renaud on 2022-03-24 12:50:24 UTC ---

In order to implement this feature, authselect must provide a mechanism to configure nss with subid: sss, hence adding dependency on the BZ 2063750


--- Additional comment from Florence Blanc-Renaud on 2022-05-18 15:40:41 UTC ---

Upstream ticket:
https://pagure.io/freeipa/issue/9159

--- Additional comment from Alexander Bokovoy on 2022-05-25 05:12:38 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/571b6b81c3e79ddc89db07e99b12b3352294cffd
https://pagure.io/freeipa/c/49ab92c5ef067e67ebe3d53711b027465c591760
https://pagure.io/freeipa/c/952a77caef9cb21f1e7c794cd35217b58954744b

--- Additional comment from Rob Crittenden on 2022-05-25 19:09:13 UTC ---

ipa-4-9:
https://pagure.io/freeipa/c/74b2fd06d978d56137ccfde310f9c64187e0a5a3
https://pagure.io/freeipa/c/e10f3385d0bbb4100a8220ce372dc2748f8b329e
https://pagure.io/freeipa/c/0193498f682eb3efa9cbdf82af215eaa854f466a
Comment 1 Florence Blanc-Renaud 2022-06-07 14:01:48 UTC 
Marking as POST since the fix is already available upstream
Comment 7 Florence Blanc-Renaud 2022-08-09 06:39:06 UTC 
Upstream test:

Fixed upstream
master:
https://pagure.io/freeipa/c/e3e7c98ac59442a053703a700432cc1739d4a8ac

ipa-4-9:
https://pagure.io/freeipa/c/a5762621ef3ed1e699306a8d2eef634bc927a6fc

ipa-4-10:
https://pagure.io/freeipa/c/a39af6b7228d8ba85b9e97aa5decbc056d081c77
Comment 9 errata-xmlrpc 2022-11-15 10:00:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7988