Bug 980861

Summary: authconfig overwrites sss changes /etc/nsswitch.conf during installation
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: deanhunter, dspurek, ebenes, jakub, jhrozek, law, mfranc, pfrankli, rstrode, schwab, sgallagh, spoyarek, ssorce, stefw, tmraz
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: authconfig-6.2.7-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 867473
: 1000349 (view as bug list) Environment:
Last Closed: 2014-06-13 11:52:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 867473, 1000348    
Bug Blocks: 917655, 1000349    
Attachments:
Description Flags
nsswitch configuration file
none
Fedora 20 TC2 anaconda-ks.cfg
none
Fedora 20 TC2 nsswitch.conf none

Description Kaleem 2013-07-03 11:31:06 UTC 
Created attachment 768206 [details]
nsswitch configuration file

sssd does not exits in nsswitch.conf by default on fresh installs.

Please find attached nsswitch.conf for reference.

+++ This bug was initially created as a clone of Bug #867473 +++

In Fedora 17 and 18 we have a problem where remote users are unable to log in until the machine has been rebooted. This used to work previously. To fix this we probably need to:

Include 'sss' in /etc/nsswitch.conf by default and have the small sssd-client package (with just thepam, nss plugins) installed on all but minimal Fedora installs.

This happens after configuration using authconfig to change /etc/nsswitch.conf (or doing it manually). The changes are not picked up by long running processes like dbus-daemon --system. As far as I can see dbus-daemon then refuses to allow connections from these users. As might be expected, gnome-shell crashes hard when this happens.

There are some other ways to fix this problem, but these do not scale to fix the problem for every possible affected process:

http://sourceware.org/bugzilla/show_bug.cgi?id=12459

I'm filing this against the authconfig component, but in reality I think it affects more things like comps and anaconda.


TEST CASE:

* This should be ideally run on a freshly installed system or at
  least a system without sss in /etc/nsswitch.conf since last boot.

$ grep sss /etc/nsswitch.conf && "ALREADY HAVE sss"
$ sudo -s
# yum install sssd-tools pamtester
# test -f /etc/sssd/sssd.conf && mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak
# echo -e "[sssd]\ndomains=local\nconfig_file_version=2\nservices=nss,pam\n[domain/local]\nid_provider=local" > /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# systemctl start sssd.service
# authconfig --update --enablesssd --enablesssdauth
# sss_useradd --uid=2121 --gecos=Zapp zapp
# passwd zapp # set password for zapp
# pamtester zapp authenticate   # type password, should succeed

* Now go to gdm by logging out or switch user.
* Try to log in as zapp.
* Hang.
* Reboot
* Try to log in as zapp.
* Success

--- Additional comment from Stephen Gallagher on 2012-10-19 10:39:04 EDT ---

Stef, this worked previously because Ray and I hacked GDM to call out to the 'id' command in a separate process to look up the users. This worked around the fact that changes to nsswitch.conf weren't applied to running processes.

However, this always basically hid the fact that it wasn't updating systemd, messagebus etc.

This bug doesn't belong to authconfig. It should be reassigned to glibc. There are two ways to fix it. One is to have the Fedora package ship 'sss' as you suggest.

The better solution would be for glibc to provide a mechanism for nsswitch.conf to be reread somehow, though this has been suggested in the past and rebuffed before, because it would require either polling or an inotify watch on the file (or else checking the file directly on every lookup, thereby slowing ID lookups down significantly.

So I suppose a temporary solution would be to put 'sss' in the default config. It will have no effect if SSSD is not installed or not running. (I have tested this just now).

--- Additional comment from Stef Walter on 2012-10-22 05:36:35 EDT ---

Jeff, I'm trying to generate a patch for this. Wondering where glibc-2.16-75f0d304-fedora.tar.gz comes from? It contains the default nsswitch.conf. Is it in git somewhere?

Or should I instead make a patch?

--- Additional comment from Stef Walter on 2012-10-22 07:59:02 EDT ---

This is a patch to the f18 glibc fedora package.

--- Additional comment from Stef Walter on 2012-10-22 09:14:28 EDT ---

This is a patch to the f19 glibc fedora package

--- Additional comment from Jeff Law on 2012-10-22 11:26:05 EDT ---

Stef,

As far as I can tell neither patch does what you claim it does.  You claim it adds "sss" to nsswitch.conf.  However, both patches simply remove passwd, shadow, group, services and netgroup from nsswitch.conf and do not add sss anywhere.

--- Additional comment from Stef Walter on 2012-10-22 11:39:50 EDT ---

(In reply to comment #5)
> As far as I can tell neither patch does what you claim it does.  You claim
> it adds "sss" to nsswitch.conf.  However, both patches simply remove passwd,
> shadow, group, services and netgroup from nsswitch.conf and do not add sss
> anywhere.

There's something very strange going on with bugzilla.redhat.com here. It somehow modified my patches.

These are the patches I attached, and can be accessed by clicking on the big descriptive links under the 'Attachments' column in the table above. 

For f18: https://bugzilla.redhat.com/attachment.cgi?id=631443

For f19: https://bugzilla.redhat.com/attachment.cgi?id=631478

I have no idea what's going on with the munged patches linked from in comments 3 and 4. :S

--- Additional comment from Jeff Law on 2012-10-22 11:51:11 EDT ---

It's the &action=diff appearing on the link in c#3 and c#4 that triggers the problem.   No clue why though.  They're referencing the same underlying attachment, BZ just munges them.

I'll add these to Fedora.   We already ship a hacked up nsswitch.conf, so this isn't really going to add to our long term maintenance cost.


Jeff

--- Additional comment from Jeff Law on 2012-10-22 12:07:04 EDT ---

nsswitch.conf for F18 and rawhide has been updated.  Builds will spin today.

--- Additional comment from Ray Strode [halfline] on 2012-10-25 10:39:35 EDT ---

note nss-mdns munges /etc/nsswith.conf hosts line to put

 mdns4_minimal [NOTFOUND=return]

on it (in %post).  Two thoughts:

1) is [NOTFOUND=return] important for sss too?
2) Should nsswitch.conf include mdns4_minimal by default as well?

--- Additional comment from Stef Walter on 2012-10-26 15:46:02 EDT ---

(In reply to comment #9)
> note nss-mdns munges /etc/nsswith.conf hosts line to put
> 
>  mdns4_minimal [NOTFOUND=return]
> 
> on it (in %post).  Two thoughts:
> 
> 1) is [NOTFOUND=return] important for sss too?

Why? First of all it's last in the list. And secondly, why would we want to not continue to other modules sss returns NOTFOUND?

> 2) Should nsswitch.conf include mdns4_minimal by default as well?

mdns4_minimal [NOTFOUND=return] breaks domains that end in .local, at least it used to. libnss_sss has been designed to not have any impact if sssd is not running, is that the case for libnss_mdns4_minimal?

--- Additional comment from Fedora Update System on 2012-11-17 00:03:16 EST ---

glibc-2.16-24.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/glibc-2.16-24.fc18

--- Additional comment from Fedora Update System on 2012-11-26 23:51:12 EST ---

glibc-2.16-24.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Siddhesh Poyarekar 2013-07-03 13:43:32 UTC 
Which compose have you tried?  RHEL-7.0-20130628.0 has the latest bits and should work fine.  Closing this as a duplicate of an existing bug 917655.  If the latest compose doesn't work then we'll see what's wrong in that bug.

*** This bug has been marked as a duplicate of bug 917655 ***
Comment 3 Kaleem 2013-07-04 06:58:02 UTC 
I tried with compose RHEL-7.0-20130624.n.0. I will check this in latest compose.
Comment 4 Siddhesh Poyarekar 2013-07-04 07:02:15 UTC 
Please post your observations on bug 917655.
Comment 5 Siddhesh Poyarekar 2013-07-04 17:38:37 UTC 
Reopening this bug.  See bug 917655 comment 5.
Comment 6 Siddhesh Poyarekar 2013-08-20 11:17:13 UTC 
It looks like authconfig assumes USESSSD=no by default and whenever `authconfig --update` is called, sssd is disabled and subsequently sss is removed from /etc/nsswitch.conf.

My theory is that anaconda calls `authconfig --update --nostart` but not --enablesssd, due to which the 'sss' is removed from nsswitch.conf.
Comment 7 Stephen Gallagher 2013-08-20 13:35:29 UTC 
I can confirm from anaconda logs that the following is invoked:

anaconda.program.log:13:02:44,265 INFO program: Running... /usr/sbin/authconfig --update --nostart --enableshadow --passalgo=sha512

So this is the source of the problem. So now the question becomes: do we treat this as an anaconda bug or an authconfig bug?
Comment 8 Tomas Mraz 2013-08-20 14:02:16 UTC 
I need to investigate why authconfig drops it because it should read the presence of sss in nsswitch.conf.

What is the contents of nsswitch.conf before authconfig overwrites it? It should be saved in /var/lib/authconfig/last
Comment 9 Stephen Gallagher 2013-08-20 14:31:41 UTC 
Tomas, I can reproduce the issue simply by editing /etc/nsswitch.conf and adding 'sss' manually to the passwd: line after 'files' and then running:

/usr/sbin/authconfig --update --nostart --enableshadow --passalgo=sha512


After that, the 'sss' has been stripped back out again.
Comment 10 Stef Walter 2013-09-03 16:33:11 UTC 
*** Bug 1003981 has been marked as a duplicate of this bug. ***
Comment 13 Dean Hunter 2013-11-22 18:35:32 UTC 
Please note that on Fedora 19 and 20 Beta authconfig behavior is the same as noted in comments 6 through 9.
Comment 14 Stephen Gallagher 2013-11-26 13:18:09 UTC 
(In reply to Dean Hunter from comment #13)
> Please note that on Fedora 19 and 20 Beta authconfig behavior is the same as
> noted in comments 6 through 9.

I just tried to reproduce this with authconfig-6.2.6-4.fc20.x86_64 and it appears to be working just fine.
Comment 15 Dean Hunter 2013-11-26 21:11:14 UTC 
(In reply to Stephen Gallagher from comment #14)
> (In reply to Dean Hunter from comment #13)
> > Please note that on Fedora 19 and 20 Beta authconfig behavior is the same as
> > noted in comments 6 through 9.
> 
> I just tried to reproduce this with authconfig-6.2.6-4.fc20.x86_64 and it
> appears to be working just fine.

After your comment I built a new VM using Fedora 20 TC2. I used Anaconda, but not Kickstart. The Kickstart and Name Service Switch confiiguration files built by Anaconda are attached. There are no reference to SSS in either file. I was expecting the following references in the NSS configuration file:

passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
sudoers:    files sss
netgroup:   files sss
automount:  files sss
Comment 16 Dean Hunter 2013-11-26 21:12:22 UTC 
Created attachment 829491 [details]
Fedora 20 TC2 anaconda-ks.cfg
Comment 17 Dean Hunter 2013-11-26 21:13:13 UTC 
Created attachment 829492 [details]
Fedora 20 TC2 nsswitch.conf
Comment 18 Ludek Smid 2014-06-13 11:52:30 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.