Bug 594750

Summary: authconfig CLI fails to set up sssd for ldap but GUI works
Product: [Fedora] Fedora Reporter: Paul Howarth <paul>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-6.1.6-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-10 15:53:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Howarth 2010-05-21 14:00:35 UTC 
* Fresh Fedora 13 install from DVD, with language and keyboard settings UK.
 * Create local user "dummy" at firstboot since there is no network at this point
 * Login as "dummy"
 * Enable the network
 * Start a root shell
 * yum update
 * yum --enablerepo=updates-testing update auth\*

At this point I have:
  authconfig-6.1.4-2.fc13.x86_64
  authconfig-gtk-6.1.4-2.fc13.x86_64

Default settings:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is enabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


I now try to set up ldap auth in the time-honoured way:
# authconfig \
  --enableldap \
  --enableldapauth \
  --ldapserver=ldap://ldap.virtensys.com/ \
  --ldaploadcacert=http://download.virtensys.com/virtensys-ca.crt \
  --enableldaptls \
  --ldapbasedn=dc=virtensys,dc=com \
  --disablefingerprint \
  --updateall
Starting sssd:                                             [FAILED]


The stock sssd.conf is untouched:
# ls -lrt /etc/sssd
total 12
-rw-------. 1 root root 2829 Apr  2 16:56 sssd.conf
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d


Authconfig does know what the config is *supposed* to be though:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


If I now fire up the GUI, don't make any changes and click "Apply", it springs into life:
# authconfig-gtk
Starting sssd:                                             [  OK  ]
# ls -lrt /etc/sssd
total 12
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d
-rw-------. 1 root root 3191 May 21 14:39 sssd.conf
Comment 1 Tomas Mraz 2010-05-21 14:24:37 UTC 
Use --update instead of --updateall as a workaround.