Bug 1694103
| Summary: | authselect enable-feature with-mkhomedir should print requirements | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Oliver Falk <ofalk> |
| Component: | authselect | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | dlavu |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:33:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Authselect itself only configures PAM and nsswitch.conf. It does not start/stop required daemons nor configures them. Using the 'select' command, it will write what further changes should be done to the system. Perhaps, we should write the same information with 'enable-feature'? $ sudo authselect select sssd with-mkhomedir Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service Hey Pavel! Thanks for the clarification. For me enable-feature should also really _enable_ the feature => Start the right daemons. If I remember correctly that's what authconfig did as well in the past. However, yes, if that's not the way to go, we should at least notify the user that he/she needs to do some additional steps. Oliver Yes, authconfig used to (tried to) configure underlying services and it was part of the reason why we designed new tool to replace it, because it did not keep track with the development of these services. So authselect focuses solely on the PAM and nsswitch. Everything else is left on administrator or other tools (realmd, ipa-client-install). I understand it may bring a little confusion when you adopt the new tool, although I believe it is well documented in manual pages (please correct me if I am wrong). Enable-feature migth as well start the oddjobd service, but disable-feature can not disable it (because they may be other services depending on it) so it would bring inconsistency. I opened upstream ticket: https://github.com/pbrezina/authselect/issues/145 Indeed, stopping the services is a bad idea and it's better to not do it. Thanks for opening the upstream issue and taking care of it. If we print the information, I'm fine with it. I just found it confusing/misleading that after running enable-feature, it didn't work. Oliver Oliver, is this output sufficient? $ sudo authselect enable-feature with-smartcard Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: - set "pam_cert_auth = True" in [pam] section $ authselect enable-feature with-mkhomedir Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service Hi Pavel! Yes, that makes sense! This will not avoid that automated installs will run into the issue, but if someone goes further and debugs the issue, he/she will be hinted into the right direction. Thanks a lot! Oliver Verified against authselect-1.1-2.el8.x86_64 [root@kvm-08-guest27 ~]# sudo authselect enable-feature with-smartcard Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf: - set "pam_cert_auth = True" in [pam] section [root@kvm-08-guest27 ~]# authselect enable-feature with-mkhomedir Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3647 |
Description of problem: Since I have my users created in IdM, I have no local users. Therefore no home directories exist on a newly installed machine. Therefore I always used to use pam_mkhomedir. Now with RHEL8, authselect is the way to go; However, enabling the mkhomedir feature with authselect, doesn't start oddjobd, which is required for pam_oddjob_mkhomedir to work correctly. Version-Release number of selected component (if applicable): 1.0-5.el8 How reproducible: Always. Steps to Reproduce: 1. Make sure oddjobd is stopped/disabled # systemctl disable --now oddjobd 2. Enable with-mkhomedir using authselect # authselect enable-feature with-mkhomedir 3. (optionall, since it has no effect) Apply the changes # authselect apply-changes 4. Verify oddjobd isn't enabled # systemctl is-enabled oddjobd Actual results: Oddjobd isn't enabled/started: # systemctl is-enabled oddjobd disabled Expected results: Oddjobd is enabled and started (at least after you run authselect apply-changes) # systemctl is-enabled oddjobd enabled # systemctl is-active oddjobd active