Bug 1577243 - nss-mdns modifies /etc/nsswitch.conf in scriptlets which conflicts with authselect on Fedora 28
Summary: nss-mdns modifies /etc/nsswitch.conf in scriptlets which conflicts with auths...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: nss-mdns
Version: 31
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Adam Goode
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1471318
TreeView+ depends on / blocked
 
Reported: 2018-05-11 14:27 UTC by Edgar Hoch
Modified: 2019-08-13 19:02 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Edgar Hoch 2018-05-11 14:27:28 UTC
Description of problem:

nss-mdns modifies /etc/nsswitch.conf in postinstall and preuninstall scripts.
This conflicts with authselect which checks if /etc/nsswitch.conf is modified and refuses changes if it detects changes by other programs.

The new concept of authselect is - if I had understand it right - that only authselect should modify these files that it was designed to configure.

As a consequence, packages in Fedora 28 shouldn't change /etc/nsswitch.conf in there scriptslets.


# rpm -q --scripts nss-mdns
postinstall scriptlet (using /bin/sh):
/sbin/ldconfig
# sed-fu to add mdns4_minimal to the hosts line of /etc/nsswitch.conf
if [ -f /etc/nsswitch.conf ] ; then
	sed -i.bak '
		/^hosts:/ !b
		/\<mdns\(4\|6\)\?\(_minimal\)\?\>/ b
		s/\([[:blank:]]\+\)dns\>/\1mdns4_minimal [NOTFOUND=return] dns/g
		' /etc/nsswitch.conf
fi
preuninstall scriptlet (using /bin/sh):
# sed-fu to remove mdns4_minimal from the hosts line of /etc/nsswitch.conf
if [ "$1" -eq 0 -a -f /etc/nsswitch.conf ] ; then
	sed -i.bak '
		/^hosts:/ !b
		s/[[:blank:]]\+mdns\(4\|6\)\?\(_minimal\( \[NOTFOUND=return\]\)\?\)\?//g
	' /etc/nsswitch.conf
fi
postuninstall program: /sbin/ldconfig


authselect shows the following error

# authselect check
[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
Current configuration is not valid. It was probably modified outside authselect.


... and denies setting a configuration from profiles (without --force option)

# authselect select sssd with-encryptfs
[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.



Version-Release number of selected component (if applicable):
nss-mdns-0.14.1-1.fc28.x86_64

How reproducible:
Always

Comment 1 Adam Goode 2018-05-11 15:09:50 UTC
The nss-mdns scriptlet is the most brittle part of the package. If there is any way we can get rid of it forever, I would love to do it.

Comment 2 Adam Goode 2018-05-11 15:16:57 UTC
I filed this upstream bug to investigate more:
https://github.com/pbrezina/authselect/issues/51

Comment 3 Matt Johnson 2018-05-18 18:32:06 UTC
I've encountered the inverse of this bug, where authselect clobbers the existing mdns modifications made to /etc/nsswitch.conf. I just recently did a clean install of Fedora 28 last Tuesday. nss-mdns and authselect are both installed. The contents of my nsswitch.conf file are:

$ cat /etc/nsswitch.conf
# Generated by authselect on Tue May 15 23:43:17 2018
# Do not modify this file manually.
                 
passwd:      sss files systemd                              
group:       sss files systemd                                                               
netgroup:   sss files 
automount:  sss files                                                                         
services:   sss files                                                                        
sudoers:    files sss                                                                         
                                  
shadow:     files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
hosts:      files dns myhostname

aliases:    files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus

I am able to use avahi-resolve-host-name manually resolve local devices:

$ avahi-resolve-host-name uwbts3.local
uwbts3.local	fe80::201:2eff:fe70:fabe

But I am unable to ping local devices

$ ping uwbts3.local                                          
ping: uwbts3.local: Name or service not known

After manually reinstalling nss-mdns mdns resolution is restored, because of the modifications made to the /etc/nsswitch.conf file. (note the hosts: line)

$ sudo dnf remove nss-mdns
$ sudo dnf install nss-mdns

$ cat /etc/nsswitch.conf
# Generated by authselect on Tue May 15 23:43:17 2018
# Do not modify this file manually.

passwd:      sss files systemd
group:       sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss

shadow:     files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname

aliases:    files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus

Comment 4 mathew 2018-06-20 16:24:17 UTC
I, too, am here because Fedora 28 broke my existing nsswitch.conf.

Furthermore, authselect doesn't seem to have any option to re-enable Avahi/Zeroconf.

It seems from https://github.com/pbrezina/authselect/issues/51 that there's no easy fix, so for now I'm just patching nsswitch.conf because I need to be able to use my printer, etc.

Comment 5 Adam Farden 2018-08-06 10:29:10 UTC
This is still broken on a clean net-install pulling in all the latest packages. I just had to do a 'sudo dnf reinstall nss-mdss' to get functionality working.

Interestingly this only affected my Desktop PC. My IoT boards running a build of ARM minimal server do not have this problem and can ping each other normally.

Comment 6 Ben Cotton 2019-05-02 19:45:13 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Edgar Hoch 2019-05-18 00:17:06 UTC
The problem still exists on Fedora 30. The package version is still the same as in Fedora 28, it was only rebuild for the current release.

In the meantime there was many improvements in authselect, and I think the maintainer of authselect will provide additional functionality if neccessary, so I think it should be possible to find a better solution for nss-mds than using sed in package scripts!

Upstream source on github is unchanged since a year.

Comment 8 Adam Goode 2019-05-19 18:16:49 UTC
Yes, I got stalled on trying to understand the authselect integration. Any contributions welcome.

Comment 9 Ben Cotton 2019-08-13 16:57:59 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 10 Ben Cotton 2019-08-13 19:02:03 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.


Note You need to log in before you can comment on or make changes to this bug.