Bug 737048

Summary: ipa-client-install calls authconfig with wrong parameters
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: ipaAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: abokovoy, benl, dpal, jgalipea, mkosek, nsoman, sgallagh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.2-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: ipa-client-install always run /usr/sbin/authconfig to add "pam_krb5.so" entry to PAM configuration files in /etc/pam.d/. However, this entry is not needed when IPA client is installed with SSSD support, which is a default behavior Consequence: Unnecessary record is added to PAM configuration. This may be confusing for the user. Fix: Do not run /usr/sbin/authconfig if IPA client is configured with SSSD support Result: "pam_krb5.so" record is not added to PAM configuration during ipa-client-install when not needed
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:31:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2011-09-09 13:12:51 UTC
Description of problem:
As discussed with SSSD developers ipa-client-install shouldn't use --enablekrb5 parameter with authconfig when using SSSD.

Version-Release number of selected component (if applicable):
IPA 2.1.1

Comment 1 Stephen Gallagher 2011-09-09 13:19:07 UTC
ipa-client-install is calling 'authconfig --enablekrb5 --update' during its execution, which is adding an unnecessary 'pam_krb5.so' entry to the assorted PAM configuration files in /etc/pam.d/

I'm not sure why this is believed to be necessary on an SSSD-enabled system, but it's most likely wrong.

Comment 3 Rob Crittenden 2011-09-09 13:28:06 UTC
Most likely? Bottom line it for me, remove it or not?

Comment 4 Alexander Bokovoy 2011-09-09 13:31:37 UTC
pam_krb5 should not be used with SSSD, so remove. I made a ticket for FreeIPA.

Comment 5 Alexander Bokovoy 2011-09-09 13:32:03 UTC
Assign to myself.

Comment 6 Stephen Gallagher 2011-09-09 13:33:20 UTC
Well, I said "most likely" because I wasn't sure if there was some other side-effect of this feature that we were counting on (like setting up krb5.conf or something). It warrants investigation.

Comment 7 Dmitri Pal 2011-09-09 20:32:55 UTC
https://fedorahosted.org/freeipa/ticket/1775

Comment 8 Martin Kosek 2011-10-05 11:40:06 UTC
Fixed upstream:
master: fb79c50b399fb2beb57001477e8e7579f2b251ba
ipa-2-1: 39a64a52728f3cf5437de6f1b4ca07d2860ed92f

Comment 11 Namita Soman 2011-10-18 14:12:28 UTC
When installing with sssd, install logs indicate:
/usr/sbin/authconfig --enablesssdauth --update --enablesssd
and does not add any 'pam_krb5.so' entry to the PAM configuration files in /etc/pam.d/

And with no-sssd, logs have:
/usr/sbin/authconfig --enablekrb5 --nostart --update
and adds 'pam_krb5.so' entry to the PAM configuration files in /etc/pam.d/


Verified using ipa-client-2.1.2-2.el6.x86_64

Comment 12 Martin Kosek 2011-11-01 12:21:07 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ipa-client-install always run /usr/sbin/authconfig to add "pam_krb5.so" entry to PAM configuration files in /etc/pam.d/. However, this entry is not needed when IPA client is installed with SSSD support, which is a default behavior
Consequence: Unnecessary record is added to PAM configuration. This may be confusing for the user.
Fix: Do not run /usr/sbin/authconfig if IPA client is configured with SSSD support
Result: "pam_krb5.so" record is not added to PAM configuration during ipa-client-install when not needed

Comment 13 errata-xmlrpc 2011-12-06 18:31:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html