Bug 978241
Summary: | authconfig shouldn't touch /etc/krb5.conf | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> | ||||
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE - Apps <qe-baseos-apps> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | dspurek, ebenes, pkis, stefw | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-08-09 13:30:45 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David Spurek
2013-06-26 07:27:34 UTC
Well it's a bit more nuanced than that: What we need is a way to have authconfig update the pam stack and nsswitch.conf file (since it owns those), without authconfig doing *anything* else. /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart In Fedora 18 the above command accomplished that. In Fedora 19 the behavior of authconfig seems to have changed, and the above command has side effects. Unfortunately that was added to correct inconsistencies in config files which was produced by the previous behaviour. We will need a detailed analysis why it changes the krb5.conf in this case - can you please copy somewhere the contents of backup files in /var/lib/authconfig/last after each authconfig call and also the final contents of the files in the normal places? Created attachment 770331 [details]
Requested files that are changed by authconfig
So the reason for the krb5.conf update in the second authconfig call is that authconfig pulls default Kerberos realm from sssd.conf and tries to sync krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real problem. (In reply to Tomas Mraz from comment #4) > So the reason for the krb5.conf update in the second authconfig call is that > authconfig pulls default Kerberos realm from sssd.conf and tries to sync > krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real > problem. In general this sort of behavior is going to cause random bugs. The *only* reason we ever call authconfig because it owns the PAM stack and nsswitch.conf on RHEL and Fedora. If calling it in this context has all sorts of other side effects then that's just asking for a mess later on. Is there a way to call authconfig so it only touches the PAM stack and nsswitch.conf, and doesn't have the side effect of littering in other files? I'd like to see the random bugs to appear first. Fixing bugs before they appear is usually not possible. The functionality to keep the contents of configuration files in sync was added to fix real bugs, randomly switching it off would not be a good idea. There is no way now to specify just a subset of config files to update, we would have to add an option for that and of course any subsequent authconfig --update call would do the sync anyway. (In reply to Tomas Mraz from comment #6) > I'd like to see the random bugs to appear first. Fixing bugs before they > appear is usually not possible. Fair enough. But perhaps long term we should be thinking about splitting out the responsibility of updating pam.d and nsswitch.conf into a separate package? That way it's not mixed in with all the other duties that authconfig wants to do. |