Bug 737048
Summary: | ipa-client-install calls authconfig with wrong parameters | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marko Myllynen <myllynen> |
Component: | ipa | Assignee: | Alexander Bokovoy <abokovoy> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1 | CC: | abokovoy, benl, dpal, jgalipea, mkosek, nsoman, sgallagh |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.2-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: ipa-client-install always run /usr/sbin/authconfig to add "pam_krb5.so" entry to PAM configuration files in /etc/pam.d/. However, this entry is not needed when IPA client is installed with SSSD support, which is a default behavior
Consequence: Unnecessary record is added to PAM configuration. This may be confusing for the user.
Fix: Do not run /usr/sbin/authconfig if IPA client is configured with SSSD support
Result: "pam_krb5.so" record is not added to PAM configuration during ipa-client-install when not needed
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:31:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marko Myllynen
2011-09-09 13:12:51 UTC
ipa-client-install is calling 'authconfig --enablekrb5 --update' during its execution, which is adding an unnecessary 'pam_krb5.so' entry to the assorted PAM configuration files in /etc/pam.d/ I'm not sure why this is believed to be necessary on an SSSD-enabled system, but it's most likely wrong. Most likely? Bottom line it for me, remove it or not? pam_krb5 should not be used with SSSD, so remove. I made a ticket for FreeIPA. Assign to myself. Well, I said "most likely" because I wasn't sure if there was some other side-effect of this feature that we were counting on (like setting up krb5.conf or something). It warrants investigation. Fixed upstream: master: fb79c50b399fb2beb57001477e8e7579f2b251ba ipa-2-1: 39a64a52728f3cf5437de6f1b4ca07d2860ed92f When installing with sssd, install logs indicate: /usr/sbin/authconfig --enablesssdauth --update --enablesssd and does not add any 'pam_krb5.so' entry to the PAM configuration files in /etc/pam.d/ And with no-sssd, logs have: /usr/sbin/authconfig --enablekrb5 --nostart --update and adds 'pam_krb5.so' entry to the PAM configuration files in /etc/pam.d/ Verified using ipa-client-2.1.2-2.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: ipa-client-install always run /usr/sbin/authconfig to add "pam_krb5.so" entry to PAM configuration files in /etc/pam.d/. However, this entry is not needed when IPA client is installed with SSSD support, which is a default behavior Consequence: Unnecessary record is added to PAM configuration. This may be confusing for the user. Fix: Do not run /usr/sbin/authconfig if IPA client is configured with SSSD support Result: "pam_krb5.so" record is not added to PAM configuration during ipa-client-install when not needed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |