1571844 – authselect must not disable oddjobd

Bug 1571844 - authselect must not disable oddjobd

Summary: authselect must not disable oddjobd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	authselect
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Pavel Březina
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F28FinalFreezeException
TreeView+	depends on / blocked

Reported:	2018-04-25 13:58 UTC by Christian Heimes
Modified:	2018-04-27 23:08 UTC (History)
CC List:	3 users (show)
Fixed In Version:	authselect-0.4-2.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-27 23:08:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 7465	0	None	None	None	2018-04-25 13:58:36 UTC

Description Christian Heimes 2018-04-25 13:58:36 UTC

Description of problem:
authselect enables or disables oddjobd.service depending on the mkhomedir argument. In case authselect or authconfig are called without mkhomedir (default), it forcefully disables oddjobd.service. This breaks other services like FreeIPA, which depend on oddjobd.

Version-Release number of selected component (if applicable):
authselect-0.4-1.fc28.x86_64

How reproducible:
always

Steps to Reproduce:
1. install FreeIPA server

Actual results:
Apr 25 12:54:23 host systemd[1]: Started privileged operations for unprivileged applications.
Apr 25 12:59:17 host systemd[1]: Stopping privileged operations for unprivileged applications...
Apr 25 12:59:17 host systemd[1]: Stopped privileged operations for unprivileged applications.

2018-04-25T10:59:16Z DEBUG args=['/usr/sbin/authconfig', '--enablesssd', '--enablesssdauth', '--update']
2018-04-25T10:59:17Z DEBUG Process finished, return code=0
2018-04-25T10:59:17Z DEBUG stdout=Running authconfig compatibility tool.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect select sssd --force
Removing file: /etc/krb5.conf.d/authconfig-krb.conf
Executing: /usr/bin/systemctl disable winbind.service
Executing: /usr/bin/systemctl stop winbind.service
Executing: /usr/bin/systemctl disable oddjobd.service
Executing: /usr/bin/systemctl stop oddjobd.service

Expected results:
authselect and authconfig keep oddjobd.service running when it is already enabled.

Additional info:
Code: https://github.com/pbrezina/authselect/blob/d034782d2df9d9b64bb03096229f64ddae0f2166/src/compat/authcompat.py.in.in#L440-L443
FreeIPA upstream bug: https://pagure.io/freeipa/issue/7465#comment-508462

Comment 1 Christian Heimes 2018-04-25 14:19:59 UTC

FreeIPA depends oddjobd.service for two tasks. Without oddjobd it is neither possible to install a replica nor to establish trust with Active Directory. It's highly recommended to create at least one FreeIPA replica. A single master is a single point of failure.

upstream PR: https://github.com/pbrezina/authselect/pull/50
Fedora packaging PR: https://src.fedoraproject.org/rpms/authselect/pull-request/4
scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=26556749

Comment 2 Christian Heimes 2018-04-25 14:36:42 UTC

fixed scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=26556817

# rpm -qa authselect
authselect-0.4-2.fc28.x86_64
# /usr/sbin/authconfig --enablesssd --enablesssdauth --update
Running authconfig compatibility tool.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect select sssd --force
Removing file: /etc/krb5.conf.d/authconfig-krb.conf
Executing: /usr/bin/systemctl disable winbind.service
Executing: /usr/bin/systemctl stop winbind.service

# systemctl status oddjobd.service
● oddjobd.service - privileged operations for unprivileged applications
   Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-04-25 13:44:59 CEST; 2h 51min ago
   ...

Comment 3 Fedora Blocker Bugs Application 2018-04-25 14:38:49 UTC

Proposed as a Freeze Exception for 28-final by Fedora user sgallagh using the blocker tracking app because:

 While this bug is very serious, our blocker criterion for F28 does not require replica creation or AD integration to work. I spoke to the FreeIPA upstream and they're working on getting it into an update for 0day at least, but if we end up slipping Fedora 28, I think there's significant value to getting this in as a freeze exception.

Also, the patch to fix it is very simple.

Comment 4 Fedora Update System 2018-04-26 09:15:14 UTC

authselect-0.4-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-70db86e35f

Comment 5 Fedora Update System 2018-04-26 15:33:47 UTC

authselect-0.4-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-70db86e35f

Comment 6 Fedora Update System 2018-04-27 23:08:07 UTC

authselect-0.4-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.