Bug 2187510

Summary: Activating Session Recording disables IPA/IDM access
Product: Red Hat Enterprise Linux 9 Reporter: jstephen
Component: cockpit-session-recordingAssignee: jstephen
Status: CLOSED ERRATA QA Contact: Anuj Borah <aborah>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.3CC: aborah, aboscatt, atikhono, jbreitwe, smeyer, spoore, sssd-qe
Target Milestone: rcKeywords: Triaged
Target Release: 9.3Flags: pm-rhel: mirror+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2176378 Environment:
Last Closed: 2023-11-07 08:33:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: v13
Embargoed:
Bug Depends On: 2176378    
Bug Blocks:    

Description jstephen 2023-04-17 19:18:06 UTC 
+++ This bug was initially created as a clone of Bug #2176378 +++

Description of problem:
- Activating Session Recording disables IPA/IDM access

Version-Release number of selected component (if applicable):
- RHEL 8.7
- cockpit-session-recording-12-1.el8.noarch


How reproducible:


Steps to Reproduce:
1. enable IPA/IDM login on a client
2. Install cockpit-session-recording: yum install cockpit-session-recording
   No file /etc/sssd/conf.d/sssd-session-recording.conf is created by default
3. Go to Cockpit web page and select
4. Set the SSSD Config to Scope = All
5. Save configuration
   The file /etc/sssd/conf.d/sssd-session-recording.conf is then created:

   ------------------------
   [sssd]
   enable_files_domain=true
   services=nss

   [session_recording]
   scope=all
   exclude_users=
   exclude_groups=
   ------------------------

6. After that the IPA/IDM login fails

Actual results:
- The IPA/IDM login fails

Expected results:
- IPA/IDM login should be possible after activating cockpit-session-recording


Root Cause Analysis:
Due to the override for "services" in The file /etc/sssd/conf.d/sssd-session-recording.conf
the IPA/IDM access is disabled.

The default /etc/sssd/sssd.conf file sets the services to
   services = nss, pam, ssh, sudo


Workaround:
Remove the line "services=nss" from /etc/sssd/conf.d/sssd-session-recording.conf
Comment 6 errata-xmlrpc 2023-11-07 08:33:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cockpit-session-recording bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6455