Bug 636324

Summary: authconfig troubles with sssd and ldap
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-24 15:53:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2010-09-21 22:15:01 UTC 
Description of problem:

Doing F14 installs with my standard F13 kickstart authconfig line:

authconfig --enablemd5 --enableshadow --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldap.cora.nwra.com --ldapbasedn=dc=nwra,dc=com --enableldaptls --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl

I end up with a different nsswitch.conf than with F13:

< f13, > f14
33,35c33,35
< passwd:     files sss
< shadow:     files sss
< group:      files sss
---
> passwd:     files sss ldap
> shadow:     files sss ldap
> group:      files sss ldap
38c38
< hosts:      files mdns4_minimal [NOTFOUND=return] dns
---
> hosts:      files dns
57c57
< netgroup:   files sss
---
> netgroup:   files ldap ldap
61c61
< automount:  files ldap
---
> automount:  files ldap ldap

And lots of errors in logs:

Sep 21 14:27:00 test kdm: :0[18768]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory
Sep 21 14:27:00 test kdm: :0[18768]: PAM adding faulty module: /lib64/security/pam_ldap.so
Sep 21 14:27:00 test kdm: :0[18768]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=orion
Sep 21 14:27:01 test kdm: :0[18768]: pam_sss(kdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=orion

Sep 21 14:30:01 test crond[18887]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory
Sep 21 14:30:01 test crond[18887]: PAM adding faulty module: /lib64/security/pam_ldap.so

Note that despite the pam_sss success above, kdm fails to log me in.  Perhaps a separate kdm issue?

Version-Release number of selected component (if applicable):
authconfig-6.1.9-1.fc14.x86_64
Comment 1 Orion Poplawski 2010-09-21 22:20:28 UTC 
system-auth-ac is also different:

< f13, > f14
7a8
> auth        sufficient    pam_ldap.so use_first_pass
13a15
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
18a21
> password    sufficient    pam_ldap.so use_authtok
22a26
> -session     optional      pam_systemd.so
25a30
> session     optional      pam_ldap.so
Comment 2 Tomas Mraz 2010-09-22 06:18:10 UTC 
Just remove the --enablesssd --enablesssdauth from your settings above. These options enable the 'explicit sssd support' with user managing sssd.conf by himself.

The only small bug is the double ldap ldap in netgroup and automount lines in /etc/nsswitch.conf.

This is not a F14 blocker.
Comment 3 Orion Poplawski 2010-09-22 20:47:33 UTC 
Indeed, that appears to work.  I think a release note may be in order to document this change.
Comment 4 Tomas Mraz 2010-09-23 07:24:21 UTC 
I am not sure what would be the Release note content. Can you please open the relnote request and enter the proposed content? Note that even in Fedora 13 the supposed call of authconfig was the same as now. The --enablessd and --enablesssdauth were never supposed to be passed to authconfig if you wanted the implicit SSSD support. However the behavior when --enablesssd and --enablessdauth was added might have been slightly different.

Here you can enter the release note request:

https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20Documentation&op_sys=Linux&target_milestone=---&bug_status=NEW&version=devel&component=release-notes&rep_platform=All&priority=normal&bug_severity=normal&assigned_to=relnotes@fedoraproject.org&cc=&estimated_time_presets=0.0&estimated_time=0.0&bug_file_loc=http://&short_desc=RELNOTES%20-%20Summarize%20the%20release%20note%20suggestion/content&comment=Provide%20details%20here.%20%20Do%20not%20change%20the%20blocking%20bug.&status_whiteboard=&keywords=&issuetrackers=&dependson=&blocked=168083&ext_bz_id=0&ext_bz_bug_id=&data=&description=&contenttypemethod=list&contenttypeselection=text/plain&contenttypeentry=&maketemplate=Remember%20values%20as%20bookmarkable%20template&form_name=enter_bug
Comment 5 Orion Poplawski 2010-09-24 15:53:20 UTC 
Sorry, it appears you documented the correct authconfig line in bug 578258, but I didn't get it right in my kickstarts.

*** This bug has been marked as a duplicate of bug 578258 ***