Description of problem: With a clean FreeIPA client install with --mkhomedir, oddjobd isn't enabled and started so instead of a new homedir I get a dbus/.service file not found error message. Version-Release number of selected component (if applicable): freeipa-4.6.90.pre2-3.fc28.x86-64 How reproducible: Always Steps to Reproduce: 1. Install FreeIPA client with --mkhomedir 2. Log into an account without a homedir 3. Note error Actual results: Homedir not made Expected results: Homedir made
Bug analysis ------------ Valid bug: yes Regression: yes Regression introduction: Fedora 28 (with the switch to authselect) Affected versions: FreeIPA 4.6.90.pre2-3+ Use cases (reproduction steps): see below Cause: 'authselect select sssd with-mkhomedir' does not enable oddjobd service Consequence: user login does not trigger the creation of the home directory Workaround: manually enable and start oddjobd before ipa-client-install Fix complexity: ? Reproduction: fresh FC28 install, oddjobd disabled and stopped Check the current authselect profile, the feature with-mkhomedir is not set: # authselect current Profile ID: sssd Enabled features: None # dnf install freeipa-client (version 4.6.90.pre2-3.fc28 ) # ipa-client-install --domain $DOMAIN --realm $REALM --principal admin --password Secret123 --mkhomedir -U # systemctl status oddjobd ● oddjobd.service - privileged operations for unprivileged applications Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; disabled; vendor pr> Active: inactive (dead) Check the authselect profile, the installer has properly configured the option with-mkhomedir: # authselect current Profile ID: sssd Enabled features: - with-mkhomedir Try to login as test user: # su - test org.freedesktop.DBus.Error.ServiceUnknown: The name com.redhat.oddjob_mkhomedir was not provided by any .service files su: warning: cannot change directory to /home/test: No such file or directory # exit If oddjobd is manually started, the same command will succeed. ipa-client-install is internally calling authselect. I would expect the command 'authselect select sssd with-mkhomedir' to start oddjobd, hence moving the bug to authselect component. pbrezina, if my assumption is false, feel free to re-assign the issue to ipa component.
That is nice analysis Florence, thank you. However, I will switch the bug back to ipa. Authselect only purpose is to write the pam and nsswitch configuration and it is not responsible for configuring the services. This is left on the tool/person that runs authselect.
Sorry Pavel but this is clear regression from authconfig times. It was authconfig who configured oddjobd when oddjob-mkhomedir is installed and --enablemkhomedir option is used to authconfig. It is again a regression in functionality.
Note that this regression is unrelated to FreeIPA at all. authconfig allowed to use --enablemkhomedir option with any identity/authentication solution. oddjobd does not depend on FreeIPA and does not require any additional configuration beyond what's packaged in Fedora/RHEL/etc.
Authselect is not authconfig, never claimed to be and from the very beginning we stated that it will not configure and manage services and it was written in every internal document we had as well as in the Fedora change page. Authors of FreeIPA conversion to authselect knew it as well, as I told them personally on one of our meetings. I did not heard any complains on this design decision then. Managing and configuring services is left on the caller of authselect. There is authselect-migration(7) that can help with this step.
I find it very much unhelpful to invoke a city council way of handling design from HG2G. This is not a way how a replacement software is designed, sorry. Authselect-provided configuration requires oddjob-based pam_mkhomedir and leaves it not working. I could understand if authselect was only a backend configuration service not available to direct call by an admin. However, it intentionally provides a simple command line interface and leaves no hints that certain services have to be enabled. Either authselect needs to call 'systemctl --now enable oddjob' when enabling with-mkhomedir feature of sssd profile or it needs clearly instruct callers on the required actions. This is not about FreeIPA client per se, it is for everyone's good.
(In reply to Alexander Bokovoy from comment #6) > it needs clearly instruct callers on the required actions. We can do this.
I opened this upstream ticket: https://github.com/pbrezina/authselect/issues/55
Thank you. Flo, I guess we'll reuse this bugzilla for FreeIPA client to enable oddjobd.
Alexander: > Flo, I guess we'll reuse this bugzilla for FreeIPA client to enable oddjobd. yes, we need to start and enable oddjobd in ipa-client-install installer. Probably need to check if ipa-restore is doing it, too.
Upstream ticket: https://pagure.io/freeipa/issue/7604
Fixed upstream in master (4.7): a39f656 ipa-client-install: enable and start oddjobd if mkhomedir 7bf99e8 Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fixed in 4.7.0