Bug 1392540 - glibc: default nsswitch.conf does not list sss for the automount service
Summary: glibc: default nsswitch.conf does not list sss for the automount service
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: glibc
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Florian Weimer
QA Contact: Sergey Kolosov
Depends On:
Blocks: 1298243 1390370 1581807
TreeView+ depends on / blocked
Reported: 2016-11-07 17:29 UTC by Eugene Keck
Modified: 2020-12-14 07:50 UTC (History)
13 users (show)

Fixed In Version: glibc-2.17-166.el7
Doc Type: Bug Fix
Doc Text:
Cause: The sss service provider was not present for the automount database in /etc/nsswitch.conf. Consequence: Newly provisioned Red Hat Enterprise Linux 7 systems in an IPA environment do not have functioning autofs support. Fix: Add the sss service provider to the automount database in /etc/nsswitch.conf. Result: autofs in newly provisioned systems works.
Clone Of:
: 1581807 1581809 (view as bug list)
Last Closed: 2017-08-01 18:09:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1581809 0 high CLOSED glibc: Modernise nsswitch.conf defaults 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2017:1916 0 normal SHIPPED_LIVE Moderate: glibc security, bug fix, and enhancement update 2017-08-01 18:05:43 UTC

Internal Links: 1581809

Description Eugene Keck 2016-11-07 17:29:58 UTC
Description of problem:
Newly provisioned RHEL 7.3 systems in IPA environment do not have functioning autofs due to the 'sss' option not being added to the automount entry of nsswitch.conf.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ipa-client-automount

Actual results:
automount:  files 

Expected results:
automount:  files sss

Additional info:

Comment 1 Petr Vobornik 2016-11-10 11:00:20 UTC
ipa-client-automount doesn't configure nsswitch with sssd, this should happen earlier in ipa-client-install

This is RHEL 7.3 with IPA 4.4 in lab:
  # cat /etc/nsswitch.conf | grep automount
  automount:  files nisplus
  # cat /var/log/ipaclient-install.log | grep authconfig
  2016-07-11T14:55:35Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
  2016-07-11T14:55:37Z DEBUG args=/usr/sbin/authconfig --update --nisdomain test1.abc.idm.lab.eng.brq.redhat.com

And this Fedora F24 with FreeIPA master (almost the same as 4.4):
  # cat /etc/nsswitch.conf  | grep automount
  automount:  files sss
  # cat /var/log/ipaclient-install.log | grep authconfig
  2016-10-27T12:45:34Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
  2016-10-27T12:45:35Z DEBUG args=/usr/sbin/authconfig --update --nisdomain test2.example.test

Both were IPA servers installed with the same options. The fact that it is not pure client but IPA server should not matter given that both runs ipa-client-install. Question is why the automount parts of nsswitch.conf differ?

But, as written elsewhere, running following commands on RHEL machine fixes the issue:
  # authconfig --disablesssd --update 
  # authconfig --enablesssd --update
  # cat /etc/nsswitch.conf | grep automount
  automount:  files sss

Tomas, any ideas why it happens? I can provide installed machine if needed.

Comment 2 Tomas Mraz 2016-11-10 12:01:48 UTC
The authconfig currently does not modify nsswitch.conf if it sss is present on the passwd: line.

I think this should be solved in the default nsswitch.conf in glibc. As it contains sss already for other databases, it should contain it for automount as well.

Comment 3 Tomas Mraz 2016-11-10 12:02:51 UTC
The workaround for already installed machines is to run 'authconfig --updateall'.

Comment 4 Florian Weimer 2016-11-17 11:17:17 UTC
Should we move /etc/nsswitch.conf to its own package so that we can change it with less QE effort?

Any other changes we should fold into the same change?

Comment 15 errata-xmlrpc 2017-08-01 18:09:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.