1921007 – ipa-server-install : No such file or directory: '/etc/authselect/user-nsswitch.conf'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1921007 - ipa-server-install : No such file or directory: '/etc/authselect/user-nsswitch.conf'

Summary: ipa-server-install : No such file or directory: '/etc/authselect/user-nsswitc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-27 12:04 UTC by Jacquelin Charbonnel
Modified:	2022-05-10 14:33 UTC (History)
CC List:	15 users (show)
Fixed In Version:	ipa-4.9.8-1.module+el8.6.0+13486+dbe20af2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 14:08:44 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 8755	None	None	None	2021-03-15 12:17:46 UTC
Red Hat Issue Tracker	FREEIPA-7088	None	None	None	2021-10-14 17:34:06 UTC
Red Hat Product Errata	RHEA-2022:1884	None	None	None	2022-05-10 14:09:05 UTC

Description Jacquelin Charbonnel 2021-01-27 12:04:25 UTC

On a new virgin host under CentOS Stream release 8 :

# ipa-server-install

ends with :

[Errno 2] No such file or directory: '/etc/authselect/user-nsswitch.conf'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Configuration of client side components failed!
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

To solve the problem :

# touch /etc/authselect/user-nsswitch.conf
# ipa-server-install --uninstall
# ipa-server-install

Comment 1 Jacquelin Charbonnel 2021-02-03 10:11:24 UTC

Same problem with ipa-replica-install.

Comment 2 Pavel Březina 2021-02-03 10:36:03 UTC

Thank you for the bug report.

The file is created during package installation in %posttrans scriptlet:
https://git.centos.org/rpms/authselect/blob/c8s/f/SPECS/authselect.spec#_235

I'm forwarding this to CentOS Stream developers.

Comment 3 Pavel Březina 2021-02-03 12:02:29 UTC

Brian, this works fine on Fedora and RHEL. Can you look into it? Thank you.

Comment 4 Brian Stinson 2021-02-17 23:47:16 UTC

This worked fine for me using content from CentOS-Stream-8-20210215.n.0 (this week's compose) 

Can we try this with the most recent install media or an updated system?

Comment 5 Álvaro Castillo 2021-02-24 09:39:08 UTC

Not solved yet, I've deployed an server and I got this error message:

Linux localhost 4.18.0-277.el8.x86_64 #1 SMP Wed Feb 3 20:35:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CentOS Stream release 8

centos-logos-ipa-80.5-2.el8.noarch
python3-libipa_hbac-2.3.0-9.el8.x86_64
ipa-selinux-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-client-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
ipa-server-dns-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
python3-ipaserver-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-client-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
libipa_hbac-2.3.0-9.el8.x86_64
sssd-ipa-2.3.0-9.el8.x86_64
python3-ipalib-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-server-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
python3-ipaclient-4.8.7-14.module_el8.3.0+698+d6d67052.noarch

Comment 6 Álvaro Castillo 2021-02-24 10:14:36 UTC

I've created  touch /etc/authselect/user-nsswitch.conf and after deploy:

Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
Configuring client side components
This program will set up IPA client.
Version 4.8.7

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: xx.xx.com
Realm: xx.COM
DNS Domain: xx.com
IPA Server: xx.xx.com
BaseDN: dc=xx,dc=com

Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring xx.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records._k8jn7th.db
CalledProcessError(Command ['/bin/systemctl', 'restart', 'ipa.service'] returned non-zero exit status 1: 'Job for ipa.service failed because the control process exited with error code.\nSee "systemctl status ipa.service" and "journalctl -xe" for details.\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

I'm going to see what's happened in ipaserver-install.log...
#######

2021-02-24T09:57:06Z DEBUG Process finished, return code=0
2021-02-24T09:57:06Z DEBUG Client install duration: 12.496
2021-02-24T09:57:06Z DEBUG flushing ldapi://%2Frun%2Fslapd-xx-COM.socket from SchemaCache
2021-02-24T09:57:06Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-xx-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f2c8f0e9048>
2021-02-24T09:57:06Z DEBUG Set service ['KDC'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG Set service ['KPASSWD'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG Set service ['KEYS'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG Set service ['CA'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG Set service ['OTPD'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG Set service ['HTTP'] for xx.xx.com to enabledService
2021-02-24T09:57:06Z DEBUG raw: dns_update_system_records(version='2.239')
2021-02-24T09:57:06Z DEBUG dns_update_system_records(dry_run=False, all=False, raw=False, version='2.239')
2021-02-24T09:57:06Z DEBUG raw: server_find(None, version='2.239', no_members=False, servrole='IPA master')
2021-02-24T09:57:06Z DEBUG server_find(None, all=False, raw=False, version='2.239', no_members=False, pkey_only=False, servrole=('IPA master',))
2021-02-24T09:57:06Z DEBUG raw: server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, version='2.239')
2021-02-24T09:57:06Z DEBUG server_role_find(None, server_server=None, role_servrole='IPA master', status='enabled', include_master=True, all=False, raw=False, version='2.239')
2021-02-24T09:57:06Z DEBUG raw: topologysuffix_find(None, all=True, raw=True, version='2.239')
2021-02-24T09:57:06Z DEBUG topologysuffix_find(None, all=True, raw=True, version='2.239', pkey_only=False)
2021-02-24T09:57:06Z DEBUG raw: server_role_find(None, server_server='xx.xx.com', status='enabled', include_master=True, version='2.239')
2021-02-24T09:57:06Z DEBUG server_role_find(None, server_server='xx.xx.com', status='enabled', include_master=True, all=False, raw=False, version='2.239')
2021-02-24T09:57:06Z DEBUG raw: dnszone_show(<DNS name xx.com.>, version='2.239')
2021-02-24T09:57:06Z DEBUG dnszone_show(<DNS name xx.com.>, rights=False, all=False, raw=False, version='2.239')
2021-02-24T09:57:06Z DEBUG found 1 1 records for xx.xx.com.: 88.99.15.246
2021-02-24T09:57:06Z DEBUG The DNS response does not contain an answer to the question: xx.xx.com. IN AAAA
2021-02-24T09:57:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2021-02-24T09:57:06Z DEBUG raw: server_find(None, version='2.239', no_members=False)
2021-02-24T09:57:06Z DEBUG server_find(None, all=False, raw=False, version='2.239', no_members=False, pkey_only=False)
2021-02-24T09:57:06Z DEBUG raw: topologysuffix_find(None, all=True, raw=True, version='2.239')
2021-02-24T09:57:06Z DEBUG topologysuffix_find(None, all=True, raw=True, version='2.239', pkey_only=False)
2021-02-24T09:57:06Z DEBUG raw: server_role_find(None, server_server='xx.xx.com', status='enabled', include_master=True, version='2.239')
2021-02-24T09:57:06Z DEBUG server_role_find(None, server_server='xx.xx.com', status='enabled', include_master=True, all=False, raw=False, version='2.239')
2021-02-24T09:57:06Z DEBUG found 1 1 records for xx.xx.com.: yy.yy.yy.yy
2021-02-24T09:57:06Z DEBUG The DNS response does not contain an answer to the question: xx.xx.com. IN AAAA
2021-02-24T09:57:06Z DEBUG Starting external process
2021-02-24T09:57:06Z DEBUG args=['/bin/systemctl', 'enable', 'ipa.service']
2021-02-24T09:57:07Z DEBUG Process finished, return code=0
2021-02-24T09:57:07Z DEBUG stdout=
2021-02-24T09:57:07Z DEBUG stderr=Created symlink /etc/systemd/system/multi-user.target.wants/ipa.service → /usr/lib/systemd/system/ipa.service.

2021-02-24T09:57:07Z DEBUG Starting external process
2021-02-24T09:57:07Z DEBUG args=['/bin/systemctl', 'restart', 'ipa.service']
2021-02-24T09:59:10Z DEBUG Process finished, return code=1
2021-02-24T09:59:10Z DEBUG stdout=
2021-02-24T09:59:10Z DEBUG stderr=Job for ipa.service failed because the control process exited with error code.
See "systemctl status ipa.service" and "journalctl -xe" for details.

2021-02-24T09:59:10Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 569, in main
    master_install(self)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
    func(installer)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 1000, in install
    services.knownservices.ipa.enable()
  File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line 167, in enable
    self.restart(instance_name)
  File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 342, in restart
    capture_output, wait)
  File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 328, in _restart_base
    skip_output=not capture_output)
  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
    p.returncode, arg_string, output_log, error_log

2021-02-24T09:59:10Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'restart', 'ipa.service'] returned non-zero exit status 1: 'Job for ipa.service failed because the control process exited with error code.\nSee "systemctl status ipa.service" and "journalctl -xe" for details.\n')
2021-02-24T09:59:10Z ERROR CalledProcessError(Command ['/bin/systemctl', 'restart', 'ipa.service'] returned non-zero exit status 1: 'Job for ipa.service failed because the control process exited with error code.\nSee "systemctl status ipa.service" and "journalctl -xe" for details.\n')
2021-02-24T09:59:10Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


systemctl status ipa.service

[opmgr@xx ~]$ sudo systemctl status ipa.service
● ipa.service - Identity, Policy, Audit
   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2021-02-24 10:59:10 CET; 12min ago
  Process: 19297 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
 Main PID: 19297 (code=exited, status=1/FAILURE)

Feb 24 10:57:07 xx.xx.com systemd[1]: Starting Identity, Policy, Audit...
Feb 24 10:59:10 xx.xx.com ipactl[19297]: Existing service file detected!
Feb 24 10:59:10 xx.xx.com ipactl[19297]: Assuming stale, cleaning and proceeding
Feb 24 10:59:10 xx.xx.com ipactl[19297]: Failed to start Directory Service: Timeout exceeded
Feb 24 10:59:10 xx.xx.com ipactl[19297]: Starting Directory Service
Feb 24 10:59:10 xx.xx.com systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Feb 24 10:59:10 xx.xx.com systemd[1]: ipa.service: Failed with result 'exit-code'.
Feb 24 10:59:10 xx.xx.com systemd[1]: Failed to start Identity, Policy, Audit.

Comment 7 Álvaro Castillo 2021-02-24 11:30:52 UTC

That's only happend in Stream.

Deploy without /etc/authselect/user-nsswitch.conf in CentOS 8 Release works perfectly.

Install CentOS 8
Update packages: dnf upgrade -y
Enable module: dnf module enable idm:DL1
Install packages: dnf install ipa-server
Change hostname: hostnamectl set-hostname xx.xx.com
Add IP public with hostname in to /etc/hosts
Reboot the server
Add ServerName xx.xx.com:80 in /etc/httpd/conf/httpd.conf to avoid Apache problems in the future deploy.
Deploy ipa server: ipa-server-install
Ask1: no
Ask2: DN Password
Ask3: IPA Password
Ask4: no
Ask5: yes

Wait and It's ok.

Done.
Restarting the KDC
Configuring client side components
This program will set up IPA client.
Version 4.8.7

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: xx.xx.com
Realm: xx.COM
DNS Domain: xx.com
IPA Server: xx.xx.com
BaseDN: dc=xx,dc=com

Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring orbitacloud.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.buuz6vki.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Package list:
python3-ipalib-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-healthcheck-core-0.4-6.module_el8.3.0+482+9e103aab.noarch
ipa-server-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
centos-logos-ipa-80.5-2.el8.noarch
ipa-client-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
ipa-client-common-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
python3-libipa_hbac-2.3.0-9.el8.x86_64
python3-ipaclient-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
python3-ipaserver-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
ipa-server-4.8.7-14.module_el8.3.0+698+d6d67052.x86_64
libipa_hbac-2.3.0-9.el8.x86_64
ipa-selinux-4.8.7-14.module_el8.3.0+698+d6d67052.noarch
sssd-ipa-2.3.0-9.el8.x86_64

Linux xx.xx.com 4.18.0-240.10.1.el8_3.x86_64 #1 SMP Mon Jan 18 17:05:51 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


NOTE: In both tests, SELinux are in permissive mode.

Comment 8 Álvaro Castillo 2021-02-24 15:09:03 UTC

I've upgraded my CentOS 8 Release instansce with IPA Deploy as before I commented to CentOS 8 Stream.

sudo dnf install centos-release-stream
sudo dnf distro-sync
sudo reboot
sudo ipa-server-upgrade
sudo systemctl restart ipa.service

That's command has been worked. I

Comment 9 Pavel Březina 2021-03-02 11:27:31 UTC

I do not know why user-nsswitch.conf is missing in the Stream, but authselect can work even without the file. It seems that IPA requires it for this step:

...
Configured sudoers in /etc/authselect/user-nsswitch.conf
...

But they probably want to call "authselect select sssd with-sudo" instead of this step.

I do not know why the installation failed, let's switch it to IPA component for now.

Comment 10 Rob Crittenden 2021-05-04 21:31:54 UTC

This was added in https://github.com/freeipa/freeipa/commit/41ef8fba which unfortunately lacks some context. It's unclear why sudo was included in this along with the automount change.

It looks like with-sudo is already used elsewhere so perhaps the enable_sssd_sudo() can be dropped altogether. And I guess configure_nsswitch_database needs to be be more robust and handle the case where the file doesn't exist  yet.

Comment 11 Rob Crittenden 2021-07-19 18:46:38 UTC

authselect-libs creates /etc/authselect/user-nsswitch.conf in RHEL 8.3.0 in the package post script:

# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f /var/lib/authselect/user-nsswitch-created ]; then
    /usr/bin/cp -n /etc/nsswitch.conf /etc/authselect/user-nsswitch.conf &> /dev/null
    touch /var/lib/authselect/user-nsswitch-created &> /dev/null

    # If we are upgrading from older version, we want to remove these comments.
    /usr/bin/sed -i '/^# Generated by authselect on .*$/{$!{
      N;N # Read also next two lines
      /# Generated by authselect on .*\n# Do not modify this file manually.\n/d
    }}' /etc/authselect/user-nsswitch.conf &> /dev/null
fi

Perhaps this code isn't in CentOS 8 Stream?

Pavel, does authselect rely on the existence of this file or should IPA work around it as suggested?

Comment 12 Pavel Březina 2021-07-20 09:21:15 UTC

(In reply to Rob Crittenden from comment #11)
> authselect-libs creates /etc/authselect/user-nsswitch.conf in RHEL 8.3.0 in
> the package post script:
> 
> # Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
> if [ ! -f /var/lib/authselect/user-nsswitch-created ]; then
>     /usr/bin/cp -n /etc/nsswitch.conf /etc/authselect/user-nsswitch.conf &>
> /dev/null
>     touch /var/lib/authselect/user-nsswitch-created &> /dev/null
> 
>     # If we are upgrading from older version, we want to remove these
> comments.
>     /usr/bin/sed -i '/^# Generated by authselect on .*$/{$!{
>       N;N # Read also next two lines
>       /# Generated by authselect on .*\n# Do not modify this file
> manually.\n/d
>     }}' /etc/authselect/user-nsswitch.conf &> /dev/null
> fi
> 
> Perhaps this code isn't in CentOS 8 Stream?

Where can I check? But it should be there, I doubt that anyone removed it.

> Pavel, does authselect rely on the existence of this file or should IPA work
> around it as suggested?

The file does not have to exist for authselect to work.

Comment 13 Rob Crittenden 2021-07-20 15:20:20 UTC

Thanks. I think we'll need to figure out why we care about this file at all and hopefully just rely on authselect to configure PAM.

Comment 14 Rob Crittenden 2021-10-28 20:25:08 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/5856f107335cf6ab4e6e960a53c52b2f549fce35

Comment 15 Rob Crittenden 2021-11-01 15:52:33 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/c1baae842529d89b7fda78ace5ffcff165a995ce

Comment 22 Mohammad Rizwan 2022-01-13 11:54:20 UTC

version:
ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.11.0, pluggy-1.0.0 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-358.el8.x86_64-x86_64-with-redhat-8.6-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.11.0', 'pluggy': '1.0.0'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 8 items

test_integration/test_authselect.py::TestClientInstallation::test_install_client_no_preconfigured_profile PASSED [ 12%]
test_integration/test_authselect.py::TestClientInstallation::test_uninstall_client_no_preconfigured_profile PASSED [ 25%]
test_integration/test_authselect.py::TestClientInstallation::test_install_client_preconfigured_profile PASSED [ 37%]
test_integration/test_authselect.py::TestClientInstallation::test_uninstall_client_preconfigured_profile PASSED [ 50%]
test_integration/test_authselect.py::TestClientInstallation::test_install_client_no_sudo PASSED [ 62%]
test_integration/test_authselect.py::TestClientInstallation::test_uninstall_wrong_sysrestore PASSED [ 75%]
test_integration/test_authselect.py::TestServerInstallation::test_install PASSED [ 87%]
test_integration/test_authselect.py::TestServerInstallation::test_uninstall PASSED [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
========================= 8 passed in 2893.96 seconds ==========================

Automation passed, hence marking a bug as verified.

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-1-RHEL8.6-Nightly-upstream-authselect/5/

Comment 26 errata-xmlrpc 2022-05-10 14:08:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884

Note You need to log in before you can comment on or make changes to this bug.