Description of problem: authselect enables or disables oddjobd.service depending on the mkhomedir argument. In case authselect or authconfig are called without mkhomedir (default), it forcefully disables oddjobd.service. This breaks other services like FreeIPA, which depend on oddjobd. Version-Release number of selected component (if applicable): authselect-0.4-1.fc28.x86_64 How reproducible: always Steps to Reproduce: 1. install FreeIPA server Actual results: Apr 25 12:54:23 host systemd[1]: Started privileged operations for unprivileged applications. Apr 25 12:59:17 host systemd[1]: Stopping privileged operations for unprivileged applications... Apr 25 12:59:17 host systemd[1]: Stopped privileged operations for unprivileged applications. 2018-04-25T10:59:16Z DEBUG args=['/usr/sbin/authconfig', '--enablesssd', '--enablesssdauth', '--update'] 2018-04-25T10:59:17Z DEBUG Process finished, return code=0 2018-04-25T10:59:17Z DEBUG stdout=Running authconfig compatibility tool. IMPORTANT: authconfig is replaced by authselect, please update your scripts. See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault See man authselect-migration(7) to help you with migration to authselect Executing: /usr/bin/authselect select sssd --force Removing file: /etc/krb5.conf.d/authconfig-krb.conf Executing: /usr/bin/systemctl disable winbind.service Executing: /usr/bin/systemctl stop winbind.service Executing: /usr/bin/systemctl disable oddjobd.service Executing: /usr/bin/systemctl stop oddjobd.service Expected results: authselect and authconfig keep oddjobd.service running when it is already enabled. Additional info: Code: https://github.com/pbrezina/authselect/blob/d034782d2df9d9b64bb03096229f64ddae0f2166/src/compat/authcompat.py.in.in#L440-L443 FreeIPA upstream bug: https://pagure.io/freeipa/issue/7465#comment-508462
FreeIPA depends oddjobd.service for two tasks. Without oddjobd it is neither possible to install a replica nor to establish trust with Active Directory. It's highly recommended to create at least one FreeIPA replica. A single master is a single point of failure. upstream PR: https://github.com/pbrezina/authselect/pull/50 Fedora packaging PR: https://src.fedoraproject.org/rpms/authselect/pull-request/4 scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=26556749
fixed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=26556817 # rpm -qa authselect authselect-0.4-2.fc28.x86_64 # /usr/sbin/authconfig --enablesssd --enablesssdauth --update Running authconfig compatibility tool. IMPORTANT: authconfig is replaced by authselect, please update your scripts. See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault See man authselect-migration(7) to help you with migration to authselect Executing: /usr/bin/authselect select sssd --force Removing file: /etc/krb5.conf.d/authconfig-krb.conf Executing: /usr/bin/systemctl disable winbind.service Executing: /usr/bin/systemctl stop winbind.service # systemctl status oddjobd.service ● oddjobd.service - privileged operations for unprivileged applications Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2018-04-25 13:44:59 CEST; 2h 51min ago ...
Proposed as a Freeze Exception for 28-final by Fedora user sgallagh using the blocker tracking app because: While this bug is very serious, our blocker criterion for F28 does not require replica creation or AD integration to work. I spoke to the FreeIPA upstream and they're working on getting it into an update for 0day at least, but if we end up slipping Fedora 28, I think there's significant value to getting this in as a freeze exception. Also, the patch to fix it is very simple.
authselect-0.4-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70db86e35f
authselect-0.4-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70db86e35f
authselect-0.4-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.