Bug 953453
| Summary: | ipa-client-install removes 'sss' from /etc/nsswitch.conf | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
| Component: | freeipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | abokovoy, jhrozek, mkosek, pkis, rcritten, spoore, ssorce, tmraz, yelley |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | freeipa-3.2.0-2.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-24 20:41:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 918092 | ||
|
Description
Stef Walter
2013-04-18 08:53:24 UTC
[root@stef-redhat data]# rpm -qf /etc/nsswitch.conf
glibc-2.17-4.fc19.x86_64
[root@stef-redhat data]# mv /etc/nsswitch.conf /etc/nsswitch.conf.bak
mv: overwrite ‘/etc/nsswitch.conf.bak’? yes
[root@stef-redhat data]# yum reinstall glibc
Loaded plugins: langpacks, refresh-packagekit
Resolving Dependencies
--> Running transaction check
---> Package glibc.x86_64 0:2.17-4.fc19 will be reinstalled
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Reinstalling:
glibc x86_64 2.17-4.fc19 fedora 3.6 M
Transaction Summary
================================================================================
Reinstall 1 Package
Total download size: 3.6 M
Installed size: 13 M
Is this ok [y/N]: y
Downloading packages:
glibc-2.17-4.fc19.x86_64.rpm | 3.6 MB 00:04
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : glibc-2.17-4.fc19.x86_64 1/1
Verifying : glibc-2.17-4.fc19.x86_64 1/1
Installed:
glibc.x86_64 0:2.17-4.fc19
Complete!
[stef@stef-redhat projects]$ grep sss /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
[stef@stef-redhat projects]$ sudo ipa-client-install
[sudo] password for stef:
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): ipa.thewalter.lan
Discovery was successful!
Hostname: stef-redhat.thewalter.lan
Realm: IPA.THEWALTER.LAN
DNS Domain: ipa.thewalter.lan
IPA Server: dc.ipa.thewalter.lan
BaseDN: dc=ipa,dc=thewalter,dc=lan
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin.LAN:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.THEWALTER.LAN
Issuer: CN=Certificate Authority,O=IPA.THEWALTER.LAN
Valid From: Wed Apr 17 12:45:40 2013 UTC
Valid Until: Sun Apr 17 12:45:40 2033 UTC
Enrolled in IPA realm IPA.THEWALTER.LAN
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.THEWALTER.LAN
trying https://dc.ipa.thewalter.lan/ipa/xml
Forwarding 'env' to server u'https://dc.ipa.thewalter.lan/ipa/xml'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://dc.ipa.thewalter.lan/ipa/xml'
host_mod: 2.57 client incompatible with 2.47 server at u'https://dc.ipa.thewalter.lan/ipa/xml'
Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[stef@stef-redhat projects]$ sudo ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: no
[stef@stef-redhat projects]$ grep sss /etc/nsswitch.conf
[stef@stef-redhat projects]$ echo $?
1
'sss' has been incorrectly removed from /etc/nsswitch.conf even though ipa-client-install claims to have restored it. Discussion: http://lists.fedoraproject.org/pipermail/devel/2012-October/172688.html glibc bug which implements the 'sss' by default behavior: https://bugzilla.redhat.com/show_bug.cgi?id=867473 I reproduced this issue too: # cp /etc/nsswitch.conf /etc/nsswitch.conf.pre-install # ipa-client-install ... # diff /etc/nsswitch.conf /etc/nsswitch.conf.pre-install 36c36 < #initgroups: files --- > initgroups: files 58c58 < netgroup: files sss --- > netgroup: nisplus sss 62c62 < automount: files sss --- > automount: files nisplus # ipa-client-install --uninstall --unattended # diff /etc/nsswitch.conf /etc/nsswitch.conf.pre-install 33,36c33,36 < passwd: files < shadow: files < group: files < #initgroups: files --- > passwd: files sss > shadow: files sss > group: files sss > initgroups: files 56c56 < services: files --- > services: files sss 58c58 < netgroup: files --- > netgroup: nisplus sss 62c62 < automount: files --- > automount: files nisplus However, we do not touch /etc/nsswitch.conf directly, all we do is that we call authconfig to unconfigure what it configured in ipa-client-install phase (/usr/sbin/authconfig --enablesssdauth --update --enablesssd): 2013-04-18T11:14:19Z INFO Disabling client Kerberos and LDAP configurations 2013-04-18T11:14:19Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-04-18T11:14:19Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-04-18T11:14:19Z DEBUG Starting external process 2013-04-18T11:14:19Z DEBUG args=/usr/sbin/authconfig --disablesssdauth --update --disablesssd 2013-04-18T11:14:21Z DEBUG Process finished, return code=0 2013-04-18T11:14:21Z DEBUG stdout= 2013-04-18T11:14:21Z DEBUG stderr= Moving to authconfig component to decide how this should be handled. realmd calls authconfig with --disablesssdauth but not with --disablesssd for this very reason. http://cgit.freedesktop.org/realmd/realmd/tree/service/realmd-redhat.conf#n30 Yeah, this issue may resolve in ipa-client-install not calling --enablesssdauth and --disablesssdauth at all, I just want to have some resolution from nss. Also adding Jakub Hrozek from to CC to have an opinion from SSSD side. We should never remove sss from nsswitch. Even if sssd-client is not installed at all, getpwnam would be a noop. If it is installed but sssd is not running then you get a very small performance penalty where the sssd-client marshalls the query and attempts to send it to a socket, but this use-case is a really small one. Ok, we will update our uninstall process. Moving the Bug back to freeipa. Tomas do you agree with this update schema: Client install will call authconfig with: --enablesssdauth --update --enablesssd Client uninstall will call authconfig with: --disablesssdauth --update ? Upstream ticket: https://fedorahosted.org/freeipa/ticket/3577 Yes, that would achieve the desired outcome. Fixed upstream. master: 40966cbe635eb0df80aa8d58c888d325b984ea46 freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19 Looks like it's fixed: [root@f19-3 repo]# ipa-client-install --uninstall -U Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. [root@f19-3 repo]# grep sss /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss services: files sss netgroup: files sss automount: files sss sudoers: sss Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback). freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |