1207552 – authconfig does not configure /var/lib/sss/pubconf/krb5.include.d/ when called by realm join

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1207552 - authconfig does not configure /var/lib/sss/pubconf/krb5.include.d/ when called by realm join

Summary: authconfig does not configure /var/lib/sss/pubconf/krb5.include.d/ when calle...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	authconfig
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Dalibor Pospíšil
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1299059 1371814 (view as bug list)
Depends On:	1146945
Blocks:	1203710 1296125 1313485
TreeView+	depends on / blocked

Reported:	2015-03-31 07:30 UTC by Jan Pazdziora
Modified:	2019-10-10 09:43 UTC (History)
CC List:	15 users (show)
Fixed In Version:	authconfig-6.2.8-11.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 06:46:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1146945	0	medium	CLOSED	RFE: Kerberos should support dropping configuration snippets to /etc/ and /usr	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2016:2462	0	normal	SHIPPED_LIVE	authconfig bug fix update	2016-11-03 14:05:55 UTC

Internal Links: 1146945

Description Jan Pazdziora 2015-03-31 07:30:57 UTC

Description of problem:

When machine is joined to AD domain using realm join, it is not possible to use ssh's GSSAPIAuthentication because the auth_to_local, or better yet localauth_plugin is not configured.

realm join should do what ipa-client-install does, add

   includedir /var/lib/sss/pubconf/krb5.include.d/

to krb5.conf.

Version-Release number of selected component (if applicable):

realmd-0.14.6-6.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have AD server, assume realm ADDOMAIN.TEST.
2. Have RHEL 7.1 machine.
3. Configure resolv.conf to point to the AD server, or otherwise make sure realm discover finds the AD domain.
4. Run realm join -v ADDOMAIN.TEST
5. Run kinit administrator
6. Run ssh -l administrator -o GSSAPIAuthentication=yes $( hostname -f )

Actual results:

administrator.lab.eng.bos.redhat.com's password: 

Expected results:

Creating home directory for administrator.
[administrator@host ~]$

Additional info:

Adding

   includedir /var/lib/sss/pubconf/krb5.include.d/

to krb5.conf helps, and since that's what ipa-client-install does, realm join should likely do that as well.

Comment 3 Stef Walter 2015-03-31 08:07:31 UTC

Shouldn't there be a standard include directory that is preconfigured with the kerberos packages, where both sssd and other implementations can place config snippets?

Why do we have to modify this during joining a domain?

Comment 4 Jan Pazdziora 2015-03-31 09:41:35 UTC

(In reply to Stef Walter from comment #3)
> Shouldn't there be a standard include directory that is preconfigured with
> the kerberos packages, where both sssd and other implementations can place
> config snippets?

This effort is being tracked in bug 1146945.

> Why do we have to modify this during joining a domain?

I guess because it's currently the best approach we have. Without that includedir, users will have to do the change manually, and we should make it as seamless as possible for them.

Comment 5 Stef Walter 2015-03-31 10:44:04 UTC

Is there development work being done here? Are you interested in contributing a patch toward this?

In my opinion a fix here would be a hack, rather than the real fix in distributing an intelligent krb5.conf by default. But I'm willing to merge a sane patch that implements the hack, until such a time as krb5.conf does the right thing.

Comment 6 Jan Pazdziora 2015-04-07 13:39:36 UTC

Hmm, since realmd does not seem to touch krb5.conf at all and the modification of that file seems to be done by /usr/sbin/authconfig, maybe the correct component to put that includedir to /etc/kr5b.conf is authconfig, after all?

Comment 7 Stef Walter 2015-04-07 13:50:08 UTC

It could be. 

But i still think the real solution is to have the includedir in krb5.conf by default.

Comment 10 Stef Walter 2015-04-14 09:12:52 UTC

Closing this bug. Two other solutions:

 * authconfig includes this in krb5.conf, since it already configures krb5.conf
 * We include a standard include directory by default in krb5.conf (my preference)

So at the end of the day, this wouldn't be implemented in realmd, closing.

Comment 11 Jan Pazdziora 2015-04-14 09:17:51 UTC

(In reply to Stef Walter from comment #10)
> Closing this bug. Two other solutions:
> 
>  * authconfig includes this in krb5.conf, since it already configures
> krb5.conf

Did you clone this bugzilla for authconfig? Or how do we track it for consideration in authconfig? Shouldn't we just flip the component of this bugzilla instead of WONTFIX?

Comment 12 Stef Walter 2015-04-14 09:18:57 UTC

Sure. Please go ahead.

Comment 14 Jan Pazdziora 2015-04-14 09:41:38 UTC

Moving to component.

We'd like

Comment 15 Jan Pazdziora 2015-04-14 09:43:29 UTC

(In reply to Jan Pazdziora from comment #14)
> Moving to component.
> 
> We'd like

Hit Enter too soon.

Moving to authconfig.

When realm join is used to join host to AD, it calls authconfig to configure krb5.conf. While doing that, it'd be good if authconfig could also put includedir /var/lib/sss/pubconf/krb5.include.d/ there, if sssd is also enabled.

Comment 17 Stef Walter 2015-04-14 09:47:04 UTC

Similar Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1145808

Comment 22 Tomas Mraz 2015-07-03 10:50:42 UTC

The patch I've written makes authconfig to add the includedir line in case the /var/lib/sss/pubconf/krb5.include.d/ is present and readable. It is a RHEL-7 only hack.

Comment 25 Tomas Mraz 2015-09-03 14:10:49 UTC

I'm reassinging to realmd as I do not see a way how to fix this in authconfig in this case.

We are still keeping the patch that adds the include in case authconfig needs to update krb5.conf.

Comment 27 Sumit Bose 2016-01-28 20:41:02 UTC

Tomas, to me this ticket looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1300447. Can you confirm this and close this ticket?

Comment 28 Tomas Mraz 2016-01-29 09:31:13 UTC

I suppose fixing bug 1300447 should fix this as well however we should independently verify it to be sure.

Comment 29 Sumit Bose 2016-02-01 09:14:28 UTC

*** Bug 1299059 has been marked as a duplicate of this bug. ***

Comment 30 Patrik Kis 2016-02-12 16:10:12 UTC

My understanding of this bug is that this was an attempt to get Jan's use case work until bug 1146945 (dropping configuration snippets in krb5) makes it's way into RHEL. This seems to happen soon, so I do not see any reason to keep this open.
Any objection?

Comment 31 Jan Pazdziora 2016-02-12 16:16:20 UTC

(In reply to Patrik Kis from comment #30)
> My understanding of this bug is that this was an attempt to get Jan's use
> case work until bug 1146945 (dropping configuration snippets in krb5) makes
> it's way into RHEL. This seems to happen soon, so I do not see any reason to
> keep this open.
> Any objection?

Robbie, will we get functional equivalency of this bugzilla with bug 1146945?

Comment 32 Jan Pazdziora 2016-02-12 16:18:18 UTC

It seems that having snippet directories supported by Kerberos libraries does not necessarily mean that the correct snippets will be put to correct directories.

Comment 33 Tomas Mraz 2016-02-12 16:49:11 UTC

I do not care as I said fixing bug 1300447 should make it fixed anyway.

Comment 34 Robbie Harwood 2016-02-12 17:39:23 UTC

If I understand correctly - yes, there will be a place on the system preconfigured to drop snippets so there will not be a need to modify krb5.conf anymore.

Comment 35 Jan Pazdziora 2016-02-13 15:31:22 UTC

(In reply to Robbie Harwood from comment #34)
> If I understand correctly - yes, there will be a place on the system
> preconfigured to drop snippets so there will not be a need to modify
> krb5.conf anymore.

There will be place to drop snippets but will the snippets be there by default?

In other words, will the use case from comment 0 work out of box (even after upgrades from older RHEL 7.x) or will authconfig still need to do something, except instead of putting things to /etc/krb5.conf we'd now need it to drop some snippet somewhere to enable SSSD?

Comment 36 Robbie Harwood 2016-02-13 17:43:11 UTC

(In reply to Jan Pazdziora from comment #35)
> (In reply to Robbie Harwood from comment #34)
> > If I understand correctly - yes, there will be a place on the system
> > preconfigured to drop snippets so there will not be a need to modify
> > krb5.conf anymore.
> 
> There will be place to drop snippets but will the snippets be there by
> default?
> 
> In other words, will the use case from comment 0 work out of box (even after
> upgrades from older RHEL 7.x) or will authconfig still need to do something,
> except instead of putting things to /etc/krb5.conf we'd now need it to drop
> some snippet somewhere to enable SSSD?

The expected use case is that files will either be placed or linked into /etc/krb5.conf.d/ as a single place for this kind of file.  Now, dropping files there means they'll be enabled, and I haven't looked at what's being dropped there by authconfig to know if they can be enabled on package install or not, but that's the idea.

Comment 37 Patrik Kis 2016-02-15 08:24:55 UTC

I suggest to turn this bug to a TestOnly as actually nothing is going to be fixed under this particular report. Once all pieces are fixed in RHEL-7.3, we can try your scenario and see it works or not and possibly file the needed bugs.

Comment 40 Jakub Hrozek 2016-08-31 11:48:13 UTC

*** Bug 1371814 has been marked as a duplicate of this bug. ***

Comment 42 errata-xmlrpc 2016-11-04 06:46:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2462.html

Note You need to log in before you can comment on or make changes to this bug.