Bug 2136047

Although not mandatory, sssd is still included in the default Fedora installation. So, did you uninstall it? Or are you using a non-default environment?

Fedora got a lot of bloat over the years but who cares about the "default Fedora installation" when you run dozens of machines for all sort of services each as stripped as possible?

i uninstall EVERYTHING which is not strcitly required for the task of the machine and the last time i saw the installer was in 2011 thanks to RAID and virtualization, this useless message didn't annoy me before F36

In that case I think that you should consider changing the authselect profile from sssd to minimal, as that would remove any pam_sss requirement from the common PAM stack files. Thus, stopping the error messages that you complain about.

This will change your PAM stack so be careful.

this ignorance makes me sick and tired - sssd is now how many years part of the "default install" and now tih F36 you start to spam logs when one don't need that useless bloatware to gain what?

and why in the world do you need to touch /etc/nsswitch.conf which has "chattr +i" becasue all the years some sonsense altrered it unasked?

[root@testserver:~]$ authselect select minimal
[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
[error] [/etc/dconf/db/distro.d/20-authselect] does not exist!
[error] [/etc/dconf/db/distro.d/20-authselect] was not created by authselect!
[error] [/etc/dconf/db/distro.d/locks/20-authselect] does not exist!
[error] [/etc/dconf/db/distro.d/locks/20-authselect] was not created by authselect!
[error] Changes to the authselect configuration were detected. These changes will be overwritten. Please call 'authselect opt-out' in order to keep them.
[error] Unable to overwrite file [/etc/nsswitch.conf] [1]: Operation not permitted
[error] Unable to create symbolic links [1]: Operation not permitted
[error] Unable to activate profile [minimal] [1]: Operation not permitted
Unable to activate profile [1]: Operation not permitted

and prettry sure it has nothing to do with the config
there is no reference with "sss" in /etc/authselect nor in /etc/pam

for the sake of god just SHUT UP in case of "dlopen(/usr/lib64/security/pam_sss.so)" and whatever could be optionally dl-opened
the whole purpose of dlopen is NOT to link and require something unconditional

[root@testserver:/etc/pam.d]$ cat * | grep sss
cat: smtp: No such file or directory
[root@testserver:/etc/pam.d]$ cd /etc/authselect/
[root@testserver:/etc/authselect]$ cat * | grep sss
cat: custom: Is a directory

The mentioned error lines only appear when trying to load a module, and a module is only loaded if it is mentioned in the PAM stack. So, how is it that your PAM stack is empty of any reference to pam_sss and that PAM is still trying to load it?

dunno what happens here but "authselect select minimal" just don't work when /etc/nsswitch.conf is a file and for good reasons has the immutable-flag because i got sick and tried over the years that it was touched randomly and my configs date back way longer than "authselect" existed at all

I've been reviewing this bugzilla and I've discovered something that I overlooked the first time. In https://bugzilla.redhat.com/show_bug.cgi?id=2136047#c6 you are searching for any occurrence of sss in /etc/pam.d and the search fails:
[root@testserver:/etc/pam.d]$ cat * | grep sss
cat: smtp: No such file or directory

Can you check what happens with smtp? Or at least search for sss in another way (grep -R "sss" /etc/pam.d/)?

i cleaned that all up on any machine i maintain and hopefully "authselect opt-out" and the empty "/etc/authselect/" will stay that way after future updates

one part of the problems is pretty sure that on Fedora 36 you no longer can uninstall "authselect" and so it was pulled by the dist-upgrade while i unistalled it years ago by intention everywhere 

[root@srv-rhsoft:~]$ rpm -e authselect
error: Failed dependencies:
        authselect >= 1.3 is needed by (installed) pam-1.5.2-13.fc36.x86_64
        authselect is needed by (installed) nss-mdns-0.15.1-5.fc36.x86_64

So, just to be clear. Does the problem persist and you see log errors of pam_sss missing on your system?

after the complete cleanup all is fine but given that "authselect opt-out" removes everything from /etc/authselect expcept a empty directory and two useless nsswitch-files i hope that stuff won't come back with the next "authselect" package update - in a perfct world the whole package would still be optional as it's not needed on most setups at all 

i cleaned everything in /etc/pma.d by hand (once again)

In that case I'm closing this bugzilla. Feel free to reopen it if the problem happens again.

as i feared after upgrading a F35 machine with empty "/etc/authselect/" and for sure no sss-line in /etc/pam.d/ to F36 the same issue
how can i *really* opt-out once and forever from "authselect"?

[root@buildserver:~]$ ls /etc/authselect/
total 40K
drwxr-xr-x 2 root root 4.0K 2022-05-12 11:54 custom
-rw-r--r-- 1 root root  423 2022-11-21 13:18 dconf-db
-rw-r--r-- 1 root root  452 2022-11-21 13:18 dconf-locks
-rw-r--r-- 1 root root  332 2022-11-21 13:18 fingerprint-auth
-rw-r--r-- 1 root root 2.1K 2022-11-21 13:18 password-auth
-rw-r--r-- 1 root root  587 2022-11-21 13:18 postlogin
-rw-r--r-- 1 root root  332 2022-11-21 13:18 smartcard-auth
-rw-r--r-- 1 root root 2.1K 2022-11-21 13:18 system-auth
-rw-r--r-- 1 root root   25 2022-11-21 13:18 authselect.conf
-rw-r--r-- 1 root root  671 2022-11-21 13:18 nsswitch.conf

[root@buildserver:/etc/pam.d]$ cat * | grep sss
auth        sufficient                                   pam_sss.so forward_pass
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient                                   pam_sss.so use_authtok
session     optional                                     pam_sss.so
auth        sufficient                                   pam_sss.so forward_pass
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password    sufficient                                   pam_sss.so use_authtok
session     optional                                     pam_sss.so

[root@buildserver:/etc/pam.d]$ rpm -qa | grep sss
[root@buildserver:/etc/pam.d]$

[root@buildserver:~]$ locate pam_sss.so
[root@buildserver:~]$

"authselect opt-out" is the suggested solution to disable authselect in an environment as it is explained in https://fedoraproject.org/wiki/Changes/Authselect_Require_explicit_opt-out

@pbrezina can you help us?

maybe "authselect opt-out" just don't work when "authselect" was completly removed and is pulled for reasons only god knows later due updates

this wasn't the case before F36 and i can't even remotely understand why pam requires authselect at all because it sounds like the tail is waving with the dog

[root@buildserver:~]$ rpm -e authselect
error: Failed dependencies:
        authselect >= 1.3 is needed by (installed) pam-1.5.2-13.fc36.x86_64

Fedora 36 has implemented a change which make one-time opt-in for all users. See https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory

So when you upgraded from F35 to F36 you were automatically opted-in to authselect. If you now opt-out, it will stay like that forever.