Bug 789413

Summary: Need option for ipa-client-install to not call authconfig
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Mraz <tmraz>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: dpal, jgalipea, ksiddiqu, mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Enhancement
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:32:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 731094    

Description Tomas Mraz 2012-02-10 17:59:48 UTC 
For implementation of IPA client configuration in authconfig we need an option (--noac for example) that will prevent ipa-client-install from calling authconfig. Authconfig will modify the nsswitch.conf and PAM configuration on its own after ipa-client-install returns.
Comment 1 Dmitri Pal 2012-02-10 20:00:11 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2369
Comment 2 Rob Crittenden 2012-03-05 15:27:47 UTC 
fixed upstream.

master: 111ca8a4823171cc29ca582ca8fb8c0c5330374c

ipa-2-2: 924a6bd57afe6af61118cd6902a327e3908131d8

man page addition:

master: 356823d270a33b65ef4a34133f5d65100b5f59e4

ipa-2-2: d18ea5f52246ca1a7e071fb1dde04ef13d85fa71

For testing if you use the --noac option then /etc/nsswitch.conf and /etc/pam.d won't be modified. So things like 'id admin', getent passwd won't contain IPA users, logins fail, etc.
Comment 5 Martin Kosek 2012-04-24 11:35:10 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 6 Kaleem 2012-05-02 14:08:57 UTC 
Verified.

ipa-client version:
===================
[root@ipa63client1 ~]# rpm -q ipa-client
ipa-client-2.2.0-12.el6.x86_64
[root@ipa63client1 ~]#

ipa-client installation with --noac option:
===========================================
(1)ipa-client installation is successful with --noac option.

[root@ipa63client1 ~]# ipa-client-install -p admin -w Secret123 --noac -U
Discovery was successful!
Hostname: ipa63client1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Domain testrelm.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
NTP enabled
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@ipa63client1 ~]#

(2)No authconfig call in ipaclient-install.log

[root@ipa63client1 ~]# cat /var/log/ipaclient-install.log |grep authconfig
[root@ipa63client1 ~]#
Comment 9 errata-xmlrpc 2012-06-20 13:32:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html