Bug 874527

Summary: sssd.conf generated from scratch is invalid
Product: Red Hat Enterprise Linux 6 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Iveta Wiedermann <isenfeld>
Severity: high Docs Contact:
Priority: medium    
Version: 6.4CC: dpal, isenfeld, jgalipea, jhrozek, kbanerje
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authconfig-6.1.12-13.el6 Doc Type: Bug Fix
Doc Text:
Cause: When --enablesssd or --enablesssdauth options were used with authconfig, it could write an incomplete sssd.conf file. Consequence: The sssd daemon would fail to start. Fix: Authconfig no longer tries to create the sssd.conf file if it does not have complete information to create a sssd domain. Result: There is no failure of sssd start when authconfig updates the system configuration. System administrator must properly manually configure and start sssd if he uses the --enablesssd or --enablesssdauth options with authconfig.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 11:02:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 881827    

Description Nikolai Kondrashov 2012-11-08 11:42:12 UTC 
Description of problem:
an sssd.conf generated by authconfig from scratch is invalid.

Version-Release number of selected component (if applicable):
authconfig-6.1.12-11.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. rm -f /etc/sssd/sssd.conf
2. authconfig --updateall --enablesssd --enablesssdauth
  
Actual results:
Starting sssd:                                             [FAILED]

Expected results:
Starting sssd:                                             [OK]

However, it would be better if authconfig didn't reproduce service restart output at all, but instead output an error message and returned a non-successfull exit status.

Additional info:
sssd.conf generated by authconfig:

[domain/default]

cache_credentials = True
[sssd]
services = nss, pam
config_file_version = 2

domains = 
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
Comment 2 Tomas Mraz 2012-11-08 12:34:18 UTC 
Authconfig probably shouldn't create sssd.conf at all in this case (when enablesssd and/or enablesssdauth is used).
Comment 3 Tomas Mraz 2012-11-12 19:49:26 UTC 
Also authconfig in this case (using the explicit sssd enabledment with --enablesssd or --enablesssdauth) should not try to restart the sssd.
Comment 5 Tomas Mraz 2012-11-13 16:26:12 UTC 
Summarizing what will be the fix:

In the case the explicit (not implicit) sssd support is enabled with --enablesssd or --enablesssdauth, authconfig will not write the sssd.conf file and will not try to restart the sssd.
Comment 8 Nikolai Kondrashov 2012-12-03 16:25:51 UTC 
Authconfig still creates sssd.conf and restarts sssd when invoked as "authconfig --updateall --enablesssd --enablesssdauth", if sssd.conf doesn't exist

Verified with authconfig-6.1.12-12.el6.x86_64.
Comment 9 Tomas Mraz 2012-12-04 07:35:07 UTC 
Can you please attach the output of 'authconfig --test' here?
Comment 10 Nikolai Kondrashov 2012-12-04 14:18:31 UTC 
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is enabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Comment 11 Tomas Mraz 2012-12-05 15:16:33 UTC 
The fix was incomplete. Fixed.
Thanks for testing.
Comment 13 Nikolai Kondrashov 2012-12-07 11:09:40 UTC 
Verified fixed in authconfig-6.1.12-13.el6.x86_64.
Comment 16 errata-xmlrpc 2013-02-21 11:02:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0486.html