Bug 1001021 - document when authconfig does not create sssd.conf in the manual page
document when authconfig does not create sssd.conf in the manual page
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-08-26 06:39 EDT by Bogdan Costescu
Modified: 2015-02-18 06:25 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-18 06:25:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bogdan Costescu 2013-08-26 06:39:25 EDT
In a fresh install of F19 using a kickstart file, authconfig does not create /etc/sssd/sssd.conf. The kickstart file contains the line:

authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --ldapserver=server.example.com --ldapbasedn=o=example.com,c=de --enablekrb5 --krb5kdc=server.example.com --krb5adminserver=server.example.com --krb5realm=example.com --enablekrb5realmdns --enablesssd --enablesssdauth

(where example.com and server.example.com replace actual names). Furthermore, running the same command line after the install with an added "--update" or "--updateall" still doesn't create the file - which led me to file this as an authconfig bug.

This same authconfig kickstart/command line have worked in similar conditions in F17 and before.

Downgrading authconfig package (6.2.6-3.fc19.1) on the F19 install to the initial F18 version (6.2.5-1.fc18.2) doesn't change this behaviour. However downgrading it to initial F17 version (6.2.1-1.fc17) recovers the expected functionality.

The man page of authconfig (from 6.2.6-3.fc19.1) says:

When the configuration settings allow use of SSSD for user information services and authentication, SSSD will be automatically used  instead of the legacy services and the SSSD configuration will be set up so there is a default domain populated with the settings required to connect the services.

which is what F17 and before did. The next phrases are however confusing:

The --enablesssd and --enablesssdauth options force adding SSSD to /etc/nsswitch.conf and /etc/pam.d/system-auth, but they do not set up the domain in the SSSD configuration files. The SSSD configuration has to be set up manually.

contradicts the previous phrase. Anyway, they only talk about the domain setting in SSSD config file, and not about (not) creating the SSSD config file. So I'm quite puzzled now as to what the "blessed" behaviour.
Comment 1 Tomas Mraz 2013-08-26 07:20:59 EDT
You need to use the --update option and simply do not use the --enablesssd --enablesssdauth options as these block setting up the sssd.conf file.

The sssd will be implicitly enabled with --enableldap --enablekrb5.
Comment 2 Bogdan Costescu 2013-08-26 09:53:30 EDT
Dropping --enablesssd --enablesssdauth from the above kickstart/command line still doesn't make authconfig generate the sssd.conf file. I forgot to say that I have already tried this both in the kickstart file and on the command line... so I've changed the status back to 'assigned'.

It would be good anyway to mention in the man page that --enablesssd and/or --enablesssdauth block setting up the sssd.conf file.
Comment 3 Tomas Mraz 2013-08-26 10:01:22 EDT
Ah, I did not notice the --enablekrb5realmdns this is actually what prevents authconfig to enable the implicit SSSD support.

I agree that this should be documented.
Comment 4 Bogdan Costescu 2013-08-26 11:29:47 EDT
Hmmmm, dropping --enablekrb5realmdns (tried only command line, not from kickstart file) still doesn't make authconfig generate sssd.conf.

I looked in the source and found the cause, though I don't fully understand the logic. In /usr/share/authconfig/authinfo.py, at line 3242:

                if not self.sssdDomain:
                        if not self.implicitSSSD:
                                # do not create a domain that would be incomplete anyway
                                return True

is triggered and the rest of the method is not executed. If I comment out 'if not self.implicitSSSD: return True', the sssd.conf is successfully generated and the authentication works.

So what makes implicitSSSD be false there and is this test necessary ?
Comment 5 Tomas Mraz 2013-08-26 17:01:42 EDT
If you used --enablekrb5realmdns before, you need to use --disablekrb5realmdns to disable it.

Then self.implicitSSSD will be set and it will work fine.
Comment 6 Bogdan Costescu 2013-08-27 06:24:39 EDT
Indeed, it seems --disablekrb5realmdns is actually necessary, just dropping --enablekrb5realmdns is not enough. With --disablekrb5realmdns, the sssd.conf file is created.

There is no mention of --[enable|disable]krb5realmdns in the man page of authconfig. From the help description I cannot see the link between creation of the sssd.conf file and the use of DNS to find Kerberos realms. Could you please explain the intention ? And why did the behaviour change with respect to at least F17 ? And maybe better still, document this option...

This bug can be closed.
Comment 7 Tomas Mraz 2013-08-27 07:08:35 EDT
The --disablekrb5realmdns would not be needed in kickstart as the default is disabled. You just must not use --enablekrb5realmdns.

I'll keep the bug open for the manual page improvements.
Comment 8 Fedora End Of Life 2015-01-09 17:16:17 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 9 Fedora End Of Life 2015-02-18 06:25:00 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.