Bug 2019052 - Enforce Authselect Configuration Consistency
Summary: Enforce Authselect Configuration Consistency
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 36
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Pavel Březina
QA Contact:
Whiteboard: FailedQA
Depends On: 2000936 2023738 2023741 2023743 2023745 2034336 2034360 2039869
Blocks: F36Changes
TreeView+ depends on / blocked
Reported: 2021-11-01 14:22 UTC by Ben Cotton
Modified: 2022-05-10 14:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-05-10 14:41:45 UTC
Type: ---

Attachments (Terms of Use)

Description Ben Cotton 2021-11-01 14:22:13 UTC
This is a tracking bug for Change: Enforce Authselect Configuration Consistency
For more details, see: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory

This change wants to make authselect required to configure authentication and identity sources and forcefully update non-authselect configuration to the sssd authselect profile to eliminate any existing non-authselect setups.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Comment 1 Colin Walters 2021-12-20 16:22:25 UTC
See https://github.com/coreos/fedora-coreos-tracker/issues/1051

We need nss-altfiles in /etc/nsswitch.conf for ostree based systems right now.

This is all the same as https://github.com/authselect/authselect/issues/48 etc.

Perhaps short term we can disable the script aspects of authselect.  

But let's avoid shipping this feature in Fedora 36 until this is working with ostree.  Can you take a look at this and comment?

My strawman proposal here is that rpm-ostree gains a simple way to inject this requirement.

A simple implementation of this would be detecting the presence of /usr/lib64/libnss_altfiles.so.2
or perhaps a "stamp file" like /usr/lib/nss-altfiles/required ?  (We can't rely on querying the rpm database
due to locking issues on traditional RPM and rpm-ostree explicitly denies reading it at all to scripts)

Comment 2 Pavel Březina 2022-01-10 11:59:12 UTC
The discussion for ostree issue continues in https://bugzilla.redhat.com/show_bug.cgi?id=2034360

Comment 3 Ben Cotton 2022-02-08 21:07:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 36 development cycle.
Changing version to 36.

Comment 4 Ben Cotton 2022-05-10 14:41:45 UTC
F36 was released today. If this Change did not land in the release, please notify bcotton as soon as possible.

Note You need to log in before you can comment on or make changes to this bug.