Bug 1577615 - Freeipa Client install does not add sss entry for sudoers in nsswitch.conf
Summary: Freeipa Client install does not add sss entry for sudoers in nsswitch.conf
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 28
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-13 13:59 UTC by Martin Jackson
Modified: 2019-05-03 13:00 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-03 13:00:48 UTC
Type: Bug

Attachments (Terms of Use)

Description Martin Jackson 2018-05-13 13:59:53 UTC
Description of problem:
When running freeipa-client-install, previous versions of freeipa added an sss entry to sudoers in nsswitch.conf.  This version appears no to do that.

Version-Release number of selected component (if applicable):

How reproducible:
Every time I've tried

Steps to Reproduce:
1. Join a client to a freeipa domain
2. Inspect /etc/nsswitch.conf

Actual results:
Unable to sudo using freeipa rules

Expected results:
Able to sudo as freeipa user

Additional info:

Comment 1 Rob Crittenden 2018-05-14 14:53:57 UTC
What options to ipa-client-install did you use?

Comment 2 Martin Jackson 2018-05-14 15:14:09 UTC
--enable-dns-update --mkhomedir

Comment 3 Pavel Březina 2018-05-15 09:04:00 UTC
Is this IPA version already the one that uses authselect? If yes, IPA still modifies nsswitch.conf on its own [1].

I recently fixed [2] in authselect, but removing "sudoers: files sss" by default and leaving only "sudoers: files". 'authselect select sssd with-sudo' needs to be called to enable sssd for sudo.

If you modify nsswitch.conf before calling authselect, it gets overwritten. Otherwise it should not be related. You should switch to authselect here as well.

[1] https://github.com/freeipa/freeipa/blob/master/ipaclient/install/client.py#L914
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1573403

Comment 4 Alexander Bokovoy 2018-05-24 11:15:45 UTC
FreeIPA does not explicitly use authselect on IPA clients. However, if authselect-compat is installed, and it will be installed in 4.6.90.pre1 because that's the version without authselect support, it will override all data on upgrade. Looks like this is an outcome from using 'authconfig' because authselect-compat-provided authconfig version will effectively call authselect. As result, it will configure itself as 'authselect is there and in use'.

$ rpm -q --scripts authselect-libs
preinstall scriptlet (using /bin/sh):
rm -f "/var/lib/rpm-state/authselect.update-profile"
if [ $1 -gt 1 ] ; then
    # Check that authselect cli is installed, otherwise there is nothing to do.
    rpm -q authselect &> /dev/null
    if [ $? -ne 0 ] ; then
      exit 0

    # This is an upgrade. Check that the current configuration is valid
    # and store the information for later use in posttrans. The check must
    # be done here (before profiles are updated), otherwise it would return
    # an error if the new profile is different from the old one but selected.
    /usr/bin/authselect check &> /dev/null
    if [ $? -eq 0 ]; then
      touch "/var/lib/rpm-state/authselect.update-profile"

exit 0
posttrans scriptlet (using /bin/sh):
if [ -f "/var/lib/rpm-state/authselect.update-profile" ]; then
    # This is an upgrade. Update current profile if possible.
    PROFILE=`/usr/bin/authselect current --raw`
    if [ $? -eq 0 ]; then
        /usr/bin/authselect select $PROFILE --force &> /dev/null
    rm -f "/var/lib/rpm-state/authselect.update-profile"

exit 0

Comment 5 Alexander Bokovoy 2018-05-24 11:16:20 UTC
With freeipa-4.6.90.pre2 we are not using authconfig anymore so authselect-compat should not be involved.

Comment 6 Alexander Bokovoy 2018-05-30 13:49:46 UTC
Pavel fixed it in authselect upgrade scripts: https://github.com/pbrezina/authselect/commit/a49011d68931e196b86750f3ce854454aaa16528

Comment 7 Pavel Březina 2018-05-31 10:25:47 UTC
I prepared a scratch build with spec file changes applied. Please test.


Comment 8 Florence Blanc-Renaud 2018-06-01 08:42:35 UTC
Upstream ticket:

Comment 9 Florence Blanc-Renaud 2018-06-14 14:28:31 UTC
Hi Pavel,
with the scratch build, the profile is updated to sssd with-sudo and sudo is working.

Comment 10 Martin Pitt 2018-06-15 08:13:05 UTC
I installed the authselect{,-libs}-0.4-3.1.fc28.x86_64 scratch build, joined a domain, and nsswitch.conf still only says "sudoers:    files", and sudo is not working. The fix above only seems to apply to upgrades, not to fresh installs and realm joins?

Comment 11 Florence Blanc-Renaud 2018-06-15 08:16:10 UTC
Hi Martin,
you are right, the fix only applies to upgrades. We also need to make a fix on ipa side for fresh installs (in the installer, configure authselect select sssd *with-sudo*).

Comment 12 Christian Heimes 2018-06-19 06:54:08 UTC
Fixed in FreeIPA upstream

Comment 13 Petr Vobornik 2018-06-19 08:24:50 UTC
Correcting status to POST which means fixed upstream.

Comment 14 Ben Cotton 2019-05-02 21:33:32 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 15 Martin Pitt 2019-05-03 05:58:55 UTC
FTR, we long stopped doing/testing Cockpit updates on Fedora 28, so I don't know if F28 is still affected (F29 is definitively not).

Comment 16 Rob Crittenden 2019-05-03 13:00:48 UTC
It was fixed in the 4.7.0 release.

Note You need to log in before you can comment on or make changes to this bug.