1158826 – ipa-client-install --uninstall ignores --noac option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1158826 - ipa-client-install --uninstall ignores --noac option

Summary: ipa-client-install --uninstall ignores --noac option

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-30 10:19 UTC by David Spurek
Modified:	2016-01-29 13:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-29 13:22:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description David Spurek 2014-10-30 10:19:35 UTC

Description of problem:
ipa-client-install --uninstall ignores --noac option. authconfig component uses it and this problem leads to modified nsswitch.conf after unistallation.

I didn't have this problem with ipa version 3.

Here is my failing use case:

a) authconfig --disablesssd --disablesssdauth --update --nostart" (no sss in nsswitch.conf)
b) authconfig --enableipav2 --ipav2domain=$realmd_REALM_DOMAIN_IPA --ipav2server=$REALM_SERVER --ipav2realm=$REALM_DOMAIN_UPPER --ipav2join=$realmd_ADMINISTRATOR_USER_IPA --update (authconfig calls ipa-client-install with --noac parameter + sets sss in nsswitch.conf and sets sssd in pam)
c) authconfig --disableipav2 --update (calls ipa-client-install --noac --uninstall + disable sss in nsswitch.conf and in pam)

d) cat /etc/nsswitch.conf | grep sss
passwd:     files sss
shadow:     files sss
group:      files sss
services:   files sss
netgroup:   files sss
automount:  files sss
Version-Release number of selected component (if applicable):
ipa-4.1.0-3.el7

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
sss is in nsswitch.conf after uninstall

Expected results:
sss shouldn't be in nsswitch.conf

Additional info:

Comment 1 Petr Vobornik 2014-10-30 16:18:51 UTC

As I already stated on IRC. It is desired that ipa-client-install --uninstall doesn't remove sss from nsswitch.conf. See bug 953453

Therefore I think that "Expected results" are wrong and this is not a bug in IPA.

Ignoring --noac in ipa-client-install --uninstall is also correct since it's an installation option, not an uninstallation one. I would say that if authconfig calls ipa-client-install --uninstall --noac, then there is a bug in authconfig, but it doesn't matter given that the option is ignored.

Even if --noac would have some effect, the desired behaviour of ipa-client-install would be to not touch nsswitch.conf.

And as you stated, sss was added to nsswitch.conf by authconfig, not IPA.

Comment 2 Tomas Mraz 2014-10-31 09:26:05 UTC

That's a simple nonsense - we really need the ipa-client-install to not call authconfig if --noac is passed to it. It is basically impossible to properly handle mechanism enablement/disablement in authconfig if it is recursively called from ipa-client-install. I understand that because ipa-client-install --uninstall call was added to authconfig only recently ipa-client-install does not know that it needs to handle --noac with this action as well, but it is really needed to be added.

Please understand, that the situation here is very different from the bug 953453 because in this case the user explicitly asked for sss to be removed from nsswitch.conf prior to enablement of IPA and that means he most probably also does not want it to stay in nsswitch.conf after IPA is uninstalled.

Comment 3 Petr Vobornik 2014-10-31 16:07:52 UTC

I've straced ipa-client-install --noac and then ipa-client-install --uninstall. After each call I also diffed nsswitch.conf.

tl;dr; ipa-client-install calls authconfig, but doesn't add nor remove sss from nsswitch.conf for services stated in d). It touches 'sudoers' but not through authconfig.

Therefore the stated actual result of this BZ: "sss is in nsswitch.conf after uninstall" has nothing to do with ipa-client-install.

But after investigation of --noac origin, I agree that we have a bug, or more precisely that we incorrectly changed meaning of --noac option.

Help text for the option now says:
  "do not modify the nsswitch.conf and PAM configuration" 
instead of original:
  "do not use Authconfig to modify the nsswitch.conf and PAM configuration".

It was because of 
* https://fedorahosted.org/freeipa/ticket/4052
* https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=5f31f2d35f714880230c1a92a322c620e8708eb3

For others: --noac option was requested by: bug 789413

Question: --noac should mean:
a) ipa-client-install should not call authconfig
b) a) + ipa-client-install should not touch nsswitch.conf

Because

ipa-client-install also touches nsswitch.conf directly to add 'sss' into 'sudoers'. It then removes it on uninstall.

Strace results (grep 'execve("/usr/sbin/authconfig"'):

install with --noac:

16275 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--update", "--nisdomain", "example.com"], [/* 29 vars */] <unfinished ...>


--uninstall after install with --noac:

16007 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--disablekrb5", "--disablesssdauth", "--disablemkhomedir", "--update", "--disableldap"], [/* 28 vars */] <unfinished ...>
16071 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--update", "--nisdomain", ""], [/* 28 vars */] <unfinished ...>


install without --noac:

16627 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--enablesssdauth", "--update", "--enablesssd"], [/* 29 vars */] <unfinished ...>
16737 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--update", "--nisdomain", "example.com"], [/* 29 vars */] <unfinished ...>

--uninstall after install without --noac:

16894 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--disablesssdauth", "--update"], [/* 28 vars */] <unfinished ...>
16972 execve("/usr/sbin/authconfig", ["/usr/sbin/authconfig", "--update", "--nisdomain", ""], [/* 28 vars */] <unfinished ...>

Comment 4 Tomas Mraz 2014-10-31 16:28:47 UTC

The problem is once the authconfig is recursively called from ipa-client-install when it is called itself from authconfig, the outcome is basically undefined and I cannot fix that in authconfig.

It might be true that previously this worked fine only by coincidence though. I could try to fix the potential error in authconfig only after ipa-client-install will not call-back authconfig when started with --noac option.

Comment 5 Petr Vobornik 2014-10-31 16:54:39 UTC

Ok, ipa-client-install should not call authconfig in any way with --noac.

From the strace you can see that it also called authcounfig to set nisdomain. Does caller of `authconfig --enableipav2 ...`  call `authconfig --nisdomain ...` as well? Or is it handled by authconfig? I want to make sure that we won't break anything else.

Will authconfig deal with direct change in nsswitch.conf done by ipa-client-install(to set `sudoers: files sss`) when ipa-client-install is called  by authconfig?

Comment 6 Tomas Mraz 2014-10-31 17:06:47 UTC

Direct change of nsswitch.conf to manipulate sudoers does not matter to authconfig as it will not overwrite this change.

Why does the nisdomain need to be set?

Authconfig currently does not set it when enabling ipav2, so that would have to be added.

Comment 7 Petr Vobornik 2014-11-03 09:51:22 UTC

ipa-client-install configures $domain as NIS domain by default unless --no-nisdomain option is supplied. People might expect that IPA configured by authconfig will have the same behaviour. I don't know if that's really the case.

Comment 8 Petr Vobornik 2014-11-03 11:36:54 UTC

It reveals a design flaw in the --noac usage. There is no single source of truth. Every time ipa-client-install does a change in its usage of authconfig, authconfig will have to do the same change. It's very prone to bugs.

It would be better if authconfig could handle the recursive call and ipa could drop the option.

Is it really so impossible, as you write in comment 2, for authconfig to prepare itself for an outcome of the recursive call?

Comment 9 Tomas Mraz 2014-11-03 11:58:07 UTC

I think we aren't getting anywhere this way. Basically the recursive call can do anything to files that authconfig configures and thus it cannot expect anything. You also cannot expect that the settings done by the recursive call will stay saved. But feel free to close this as wontfix but I will not fix this in authconfig either.

I feel more and more that the IPA support in authconfig was a mistake and should be dropped.

Comment 10 Tomas Mraz 2014-11-03 11:59:16 UTC

And the only supported way to join IPA domain would be directly through the ipa-client-install command.

Comment 11 Petr Vobornik 2014-11-03 12:49:56 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4677

Comment 14 Martin Kosek 2016-01-29 13:22:18 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.