RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1694103 - authselect enable-feature with-mkhomedir should print requirements
Summary: authselect enable-feature with-mkhomedir should print requirements
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: authselect
Version: 8.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Pavel Březina
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-29 14:20 UTC by Oliver Falk
Modified: 2020-11-14 08:00 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:33:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3647 0 None None None 2019-11-05 22:33:41 UTC

Description Oliver Falk 2019-03-29 14:20:06 UTC 
Description of problem:

Since I have my users created in IdM, I have no local users. Therefore no home directories exist on a newly installed machine.
Therefore I always used to use pam_mkhomedir.
Now with RHEL8, authselect is the way to go; However, enabling the mkhomedir feature with authselect, doesn't start oddjobd, which is required for pam_oddjob_mkhomedir to work correctly.


Version-Release number of selected component (if applicable): 1.0-5.el8


How reproducible: Always.


Steps to Reproduce:
1. Make sure oddjobd is stopped/disabled
   # systemctl disable --now oddjobd

2. Enable with-mkhomedir using authselect
   # authselect enable-feature with-mkhomedir

3. (optionall, since it has no effect) Apply the changes
   # authselect apply-changes

4. Verify oddjobd isn't enabled
   # systemctl is-enabled oddjobd


Actual results:
Oddjobd isn't enabled/started:

    # systemctl is-enabled oddjobd
    disabled


Expected results:
Oddjobd is enabled and started (at least after you run authselect apply-changes)

    # systemctl is-enabled oddjobd
    enabled
    # systemctl is-active oddjobd
    active
Comment 1 Pavel Březina 2019-04-01 08:50:35 UTC 
Authselect itself only configures PAM and nsswitch.conf. It does not start/stop required daemons nor configures them. Using the 'select' command, it will write what further changes should be done to the system. Perhaps, we should write the same information with 'enable-feature'?

$ sudo authselect select sssd with-mkhomedir
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
Comment 2 Oliver Falk 2019-04-01 08:58:08 UTC 
Hey Pavel!

Thanks for the clarification. For me enable-feature should also really _enable_ the feature => Start the right daemons. If I remember correctly that's what authconfig did as well in the past. However, yes, if that's not the way to go, we should at least notify the user that he/she needs to do some additional steps.

Oliver
Comment 3 Pavel Březina 2019-04-01 09:29:51 UTC 
Yes, authconfig used to (tried to) configure underlying services and it was part of the reason why we designed new tool to replace it, because it did not keep track with the development of these services. So authselect focuses solely on the PAM and nsswitch. Everything else is left on administrator or other tools (realmd, ipa-client-install). I understand it may bring a little confusion when you adopt the new tool, although I believe it is well documented in manual pages (please correct me if I am wrong). Enable-feature migth as well start the oddjobd service, but disable-feature can not disable it (because they may be other services depending on it) so it would bring inconsistency.

I opened upstream ticket:
https://github.com/pbrezina/authselect/issues/145
Comment 4 Oliver Falk 2019-04-01 09:41:19 UTC 
Indeed, stopping the services is a bad idea and it's better to not do it.
Thanks for opening the upstream issue and taking care of it. If we print the information, I'm fine with it. I just found it confusing/misleading that after running enable-feature, it didn't work.

Oliver
Comment 5 Pavel Březina 2019-04-30 09:15:37 UTC 
Oliver, is this output sufficient?

$ sudo authselect enable-feature with-smartcard
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf:
  - set "pam_cert_auth = True" in [pam] section

$ authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
Comment 6 Oliver Falk 2019-04-30 09:37:48 UTC 
Hi Pavel!

Yes, that makes sense! This will not avoid that automated installs will run into the issue, but if someone goes further and debugs the issue, he/she will be hinted into the right direction.

Thanks a lot!

Oliver
Comment 8 Dan Lavu 2019-09-03 21:24:21 UTC 
Verified against authselect-1.1-2.el8.x86_64


[root@kvm-08-guest27 ~]#  sudo authselect enable-feature with-smartcard
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-smartcard is selected, make sure smartcard authentication is enabled in sssd.conf:
  - set "pam_cert_auth = True" in [pam] section

[root@kvm-08-guest27 ~]#  authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
Comment 10 errata-xmlrpc 2019-11-05 22:33:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3647
Note You need to log in before you can comment on or make changes to this bug.