Bug 1934124 - F34: regressed from authselect to unavailable authconfig, joining AD domain fails: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.
Summary: F34: regressed from authselect to unavailable authconfig, joining AD domain f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: realmd
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sumit Bose
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F34BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2021-03-02 14:52 UTC by Martin Pitt
Modified: 2021-03-18 20:38 UTC (History)
5 users (show)

Fixed In Version: realmd-0.17.0-3.fc35 realmd-0.17.0-3.eln110 realmd-0.17.0-3.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-18 20:38:42 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Martin Pitt 2021-03-02 14:52:49 UTC
Description of problem: Joining an AD domain with realmd in Fedora 34 fails. I have a test AD domain (served by a samba container, but that's not really relevant):

# realm discover
cockpit.lan
  type: kerberos
  realm-name: COCKPIT.LAN
  domain-name: cockpit.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

Joining it directly with adcli works:

  adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator

But joining it with realmd now fails:

# realm join -vU Administrator cockpit.lan# works without an /etc/realmd.conf
 * Resolving: _ldap._tcp.cockpit.lan
 * Performing LDAP DSE lookup on: 10.111.112.100
 * Successfully discovered: cockpit.lan
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain cockpit.lan --domain-realm COCKPIT.LAN --domain-controller 10.111.112.100 --login-type user --login-user Administrator --stdin-password
 * Using domain name: cockpit.lan
 * Calculated computer account name from fqdn: X0
 * Using domain realm: cockpit.lan
 * Sending NetLogon ping to domain controller: 10.111.112.100
 * Received NetLogon info from: f0.cockpit.lan
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-MU4p5T/krb5.d/adcli-krb5-conf-S7ouTu
 * Authenticated as user: Administrator
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: COCKPIT
 * Looked up domain SID: S-1-5-21-2893514108-2920310561-1624625319
 * Using fully qualified name: x0.cockpit.lan
 * Using domain name: cockpit.lan
 * Using computer account name: X0
 * Using domain realm: cockpit.lan
 * Calculated computer account name from fqdn: X0
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * A computer account for X0$ does not exist
 * Found well known computer container at: CN=Computers,DC=cockpit,DC=lan
 * Calculated computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Sending NetLogon ping to domain controller: 10.111.112.100
 * Received NetLogon info from: f0.cockpit.lan
 * Set computer password
 * Retrieved kvno '1' for computer account in directory: CN=X0,CN=Computers,DC=cockpit,DC=lan
 * Checking host/X0
 *    Added host/X0
 * Checking host/x0.cockpit.lan
 *    Added host/x0.cockpit.lan
 * Checking RestrictedKrbHost/X0
 *    Added RestrictedKrbHost/X0
 * Checking RestrictedKrbHost/x0.cockpit.lan
 *    Added RestrictedKrbHost/x0.cockpit.lan
 * Discovered which keytab salt to use
 * Added the entries to the keytab: X0$@COCKPIT.LAN: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/X0: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/x0.cockpit.lan: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/X0: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/x0.cockpit.lan: FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
/usr/bin/sh: line 1: /usr/sbin/authconfig: No such file or directory
 ! Enabling SSSD in nsswitch.conf and PAM failed.
realm: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.


Indeed there is no authconfig, it was replaced with authselect years ago (https://fedoraproject.org/wiki/Changes/Authselect).


In Fedora 33 with realmd-0.16.3-25.fc33.x86_64 it uses authselect as intended:

# rpm -ql realmd|xargs grep authselect
/usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
/usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir


But in Fedora 34 with realmd-0.17.0-2.fc34.x86_64 it reverted to authconfig:

# rpm -ql realmd|xargs grep authselect
/usr/lib/realmd/realmd-distro.conf:winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
/usr/lib/realmd/realmd-distro.conf:sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
/usr/lib/realmd/realmd-distro.conf:sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart


Version-Release number of selected component (if applicable):

realmd-0.17.0-2.fc34.x86_64
adcli-0.9.1-2.fc34.x86_64
authselect-1.2.2-2.fc34.x86_64
sssd-2.4.2-2.fc34.x86_64


How reproducible: Always

Comment 1 Sumit Bose 2021-03-02 16:38:01 UTC
Hi,

bummer, the authselect patch was downstream only and got lost. Can you try if the scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=62946098 works for you?

bye,
Sumit

Comment 2 Martin Pitt 2021-03-02 18:02:13 UTC
Sumit, thanks for the quick fix! I tested this package against all our realm/AD tests, and it's working perfectly again 👍

Comment 3 Fedora Update System 2021-03-03 07:50:14 UTC
FEDORA-2021-750346511c has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2021-03-03 07:56:15 UTC
FEDORA-2021-9b44822a60 has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.

Comment 5 Fedora Update System 2021-03-03 08:49:12 UTC
FEDORA-2021-c77afd19c8 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8

Comment 6 Fedora Update System 2021-03-03 15:47:05 UTC
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c77afd19c8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c77afd19c8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Adam Williamson 2021-03-17 19:45:29 UTC
This seems like a clear Beta blocker. It violates "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain" - https://fedoraproject.org/wiki/Basic_Release_Criteria#Remote_authentication .

Comment 8 Adam Williamson 2021-03-17 20:11:37 UTC
+5 votes in https://pagure.io/fedora-qa/blocker-review/issue/313 , marking accepted.

Comment 9 Fedora Update System 2021-03-18 20:38:42 UTC
FEDORA-2021-c77afd19c8 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.