Description of problem: In order to allow access to our RHVH hosts in RHV-TLV [1] via LDAP and Kerberos for the developers to be able to access and debug problems in a more secured and monitored manner with sudo, we opt to enable and configure them in authconfig-tui. After enabling and configuring them in authconfig-tui I'm receiving the following VDSM errors: Aug 26 16:43:32 rhvh-02.engineering.redhat.com sudo[100961]: PAM unable to dlopen(/usr/lib64/security/pam_ldap.so): /usr/lib64/security/p...ectory Aug 26 16:43:32 rhvh-02.engineering.redhat.com sudo[100961]: PAM adding faulty module: /usr/lib64/security/pam_ldap.so Aug 26 16:43:32 rhvh-02.engineering.redhat.com sudo[100965]: PAM unable to dlopen(/usr/lib64/security/pam_krb5.so): /usr/lib64/security/p...ectory Aug 26 16:43:32 rhvh-02.engineering.redhat.com sudo[100965]: PAM adding faulty module: /usr/lib64/security/pam_krb5.so Also, LDAP and Kerberos login does not work. LDAP server: ldap.corp.redhat.com Kerberos realm / KDC: REDHAT.COM / kerberos.corp.redhat.com [1] https://rhvm.engineering.redhat.com/ovirt-engine/ Version-Release number of selected component (if applicable): 4.3.0 How reproducible: 100% Steps to Reproduce: 1. Enable and configure LDAP and Kerberos services in authconfig-tui. Actual results: LDAP and Kerberos login not working & VDSM sudo errors. Expected results: LDAP and Kerberos login working. Additional info: This happens due to the following missing packages: pam_krb5, nss-pam-ldapd
Let's put the packages in the optional channel.
Optional repository/channel is fine with me. Note that this is a RHVH - and as such an appliance. All additional packages/services should not be added/configured by default.
I'm okay with these packages being in the optional repository, but we're registering our hosts to the RHV CDN repositories. My question is, are the optional ones included there by default or would we have to enable them (before installing the packages via yum)? Just verifying.
In el8 we have nss-pam-ldapd but pam_krb5 is not available anymore being obsoleted by SSSD. For reference: https://docs.pagure.org/SSSD.sssd/users/pam_krb5_migration.html sssd-krb5-common is included in RHV-H 4.4 image so no need to add it to the optional channel
Discussed this with nss-pam-ldapd and it sorted out that sssd should be used instead. I see that sssd-ldap is not included in the RHV-H image, so it may make more sense to have it in RHV-H image instead of shipping in optional channel. Yaniv, can you check with 4.4 images if you're able to login using the SSSD stack included in RHV-H?
Hey Sandro, Sorry for the late response. Didn't manage to get around to this. So you're saying that in 4.4 it'd work - where both krb5, provided by SSSD, and the ldapd modules are included in the base image? Or is only the krb5 one included and ldapd would have to be manually installed from a, presumably, available repo? RHV-TLV is 4.3.8 so I'll have to spin a new env up next week to test it. Any specific 4.4 image/version I should use? Also, what about 4.3 builds, is there no reason to put it there as well?
Update: So I installed 4.4 (RHVH-4.4-20200507.1) on [1], configured SSSD and LDAP according to [2] and it didn't work. Default installed SSSD and LDAP packages: sssd-krb5-common-2.2.3-20.el8.x86_64 sssd-kcm-2.2.3-20.el8.x86_64 python3-sssdconfig-2.2.3-20.el8.noarch sssd-common-pac-2.2.3-20.el8.x86_64 *sssd-common-2.2.3-20.el8.x86_64* sssd-tools-2.2.3-20.el8.x86_64 *sssd-ipa-2.2.3-20.el8.x86_64* sssd-client-2.2.3-20.el8.x86_64 *openldap-2.4.46-11.el8.x86_64* python3-ldap-3.1.0-5.el8.x86_64 openssl and oddjob are, I believe, essentially optional for this (even though the guide says they're necessary like the other packages), but variants of those tools are available by default as well: *oddjob-mkhomedir-0.34.4-7.el8.x86_64* oddjob-0.34.4-7.el8.x86_64 *openssl-1.1.1c-15.el8.x86_64* openssl-libs-1.1.1c-15.el8.x86_64 The only thing that's missing is the sssd-ldap package. [3] is the LDAP server I configured [1] to authenticate against and I tried it (SSH with my user/querying LDAP entries), but to no avail. I might've missed something though, so let me know if you think I misconfigured it or something (I can grant you SSH access to the test server, if need be). [1] dell-pe840-02.dell2.lab.eng.bos.redhat.com [2] https://access.redhat.com/solutions/4356441 [3] ldap.corp.redhat.com
Test version: rhvh-4.4.1.1-0.20200705.0 I test using stage account. There is still no "sssd-ldap" in the channel. So move to assigned.
sssd-2.2.3-20.el8 is attached to RHEA-2019:45754, trying to figure out what's wrong with RCM
QE will verify this bug after pushed to stage.
The package "sssd" is existing in the rhvh-4-for-rhel-8-x86_64-rpms repo now. Bug is fixed, move it to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV Host (redhat-virtualization-host) 4.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:3316
Is that ticket can be closed please?