Description of problem: The authselect package depends on bits and pieces from dconf package but doesn't declare dconf as a dependency. Amongst others it requires /etc/dconf/db/distro.d/locks, which is provided by dconf: # rpm -qf /etc/dconf/db/distro.d/locks dconf-0.28.0-1.fc28.x86_64 Version-Release number of selected component (if applicable): authselect-0.3.2-1.fc28.x86_64 How reproducible: always, when dconf was never installed before Steps to Reproduce: 1. install a mininmal system without dconf but with authselect 2. run /usr/bin/authselect select sssd --force Actual results: # /usr/bin/authselect select sssd --force [error] Directory [/etc/dconf/db/distro.d] does not exist, please create it! [error] Directory [/etc/dconf/db/distro.d/locks] does not exist, please create it! [error] Some directories are not accessible by authselect! [error] Unable to activate profile [sssd] [1]: Operation not permitted Unable to activate profile [1]: Operation not permitted Expected results: No errors Additional info: See PR https://github.com/freeipa/freeipa/pull/1603 and CI job https://travis-ci.org/freeipa/freeipa/jobs/357429769 for an example The issue blocks FreeIPA's migration from authconfig to authselect for FreeIPA 4.7 and Fedora 28.
PR: https://src.fedoraproject.org/rpms/authselect/pull-request/3
dconf is not required on purpose, since it is not usually present on systems without gdm. However, it should not yield an error and it should be so since 0.3.2-1. I will look into it.
It was fixed in 0.3 and 0.3.1 with: https://github.com/pbrezina/authselect/commit/5d2bfb08a7b5bc86b67023ceaea069e7bc68b06d https://github.com/pbrezina/authselect/commit/4b0f17ec0688237c9d59a66ff85a5189e83d7319 And I can't reproduce it with 0.32, it all works well on my system. If the dconf database directories are not present, authselect will create them and if dconf command is not present, authselect will not call dconf update. There are no errors. [root@authconfig 28]# rpm -qa | grep dconf [root@authconfig 28]# rpm -qa | grep authselect authselect-libs-0.3.2-1.fc28.x86_64 authselect-debuginfo-0.3.2-1.fc28.x86_64 authselect-libs-debuginfo-0.3.2-1.fc28.x86_64 authselect-debugsource-0.3.2-1.fc28.x86_64 authselect-0.3.2-1.fc28.x86_64 authselect-devel-0.3.2-1.fc28.x86_64 authselect-compat-0.3.2-1.fc28.x86_64 [root@authconfig 28]# ll /etc/dconf ls: cannot access '/etc/dconf': No such file or directory [root@authconfig 28]# authselect select sssd --force --debug --trace --warn [info] [authselect_activate] Trying to activate profile [sssd] [info] [authselect_profile_open] Looking up profile [sssd] [info] [authselect_profile_open] Profile [sssd] is a default profile [info] [authselect_profile_open] Profile [sssd] found at [/usr/share/authselect/default/sssd] [info] [authselect_profile_read_meta] Reading file [/usr/share/authselect/default/sssd/README] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/system-auth] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/password-auth] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/smartcard-auth] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/postlogin] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/dconf-db] [info] [authselect_system_read_templates] Reading file [/usr/share/authselect/default/sssd/dconf-locks] [info] [authselect_activate] Enforcing activation! [info] [authselect_config_locations_writable] Checking if all required directories are writable. [info] [authselect_config_locations_writable] Creating path [/etc/dconf/db/distro.d] [info] [authselect_config_locations_writable] Creating path [/etc/dconf/db/distro.d/locks] [info] [authselect_symlinks_write] Creating symbolic link [/etc/pam.d/system-auth] to [/etc/authselect/system-auth] [info] [authselect_symlinks_write] Creating symbolic link [/etc/pam.d/password-auth] to [/etc/authselect/password-auth] [info] [authselect_symlinks_write] Creating symbolic link [/etc/pam.d/fingerprint-auth] to [/etc/authselect/fingerprint-auth] [info] [authselect_symlinks_write] Creating symbolic link [/etc/pam.d/smartcard-auth] to [/etc/authselect/smartcard-auth] [info] [authselect_symlinks_write] Creating symbolic link [/etc/pam.d/postlogin] to [/etc/authselect/postlogin] [info] [authselect_symlinks_write] Creating symbolic link [/etc/nsswitch.conf] to [/etc/authselect/nsswitch.conf] [info] [authselect_symlinks_write] Creating symbolic link [/etc/dconf/db/distro.d/20-authselect] to [/etc/authselect/dconf-db] [info] [authselect_symlinks_write] Creating symbolic link [/etc/dconf/db/distro.d/locks/20-authselect] to [/etc/authselect/dconf-locks] [info] [authselect_profile_activate] Dconf is not installed on your system
Thanks for the feedback and fix, Pavel! Since the problem is fixed in authselect-0.3.2, I'm closing the bug and PR.
authselect-0.3.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9853e65a1
This bug was filed against F28. It is not yet 'fixed' wrt F28; it will only be fixed when the update goes stable.
Proposing as a freeze exception issue for Beta, making the new tool work properly in a minimal install seems like a good idea, especially if it breaks FreeIPA upgrade on systems without dconf as Christian reports.
Discussed during the 2018-03-26 blocker review meeting: [1] The decision to classify this bug as an AcceptedFreezeException was made as there could be significant install/upgrade-time consequences from authselect not behaving as expected with dconf not present. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
authselect-0.3.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.