can you guys stop flooding my logs with every Fedora release with more and more useless stuff? on some machines the filters in rsyslog.conf are longer than the remaining logfiles for a week sssd is not mandatory - thanks god nobody i know needs sssd so it's not there - fine, than don't load it and shut up crond: PAM adding faulty module: /usr/lib64/security/pam_sss.so: 130 Time(s) crond: PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: Kann die Shared-Object-Datei nicht öffnen: Datei oder Verzeichnis nicht gefunden: 130 Time(s) login: PAM adding faulty module: /usr/lib64/security/pam_sss.so: 7 Time(s) login: PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory: 7 Time(s) sddm-helper: PAM adding faulty module: /usr/lib64/security/pam_sss.so: 8 Time(s) sddm-helper: PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: Kann die Shared-Object-Datei nicht öffnen: Datei oder Verzeichnis nicht gefunden: 8 Time(s) su: PAM adding faulty module: /usr/lib64/security/pam_sss.so: 1 Time(s) su: PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory: 1 Time(s)
Although not mandatory, sssd is still included in the default Fedora installation. So, did you uninstall it? Or are you using a non-default environment?
Fedora got a lot of bloat over the years but who cares about the "default Fedora installation" when you run dozens of machines for all sort of services each as stripped as possible? i uninstall EVERYTHING which is not strcitly required for the task of the machine and the last time i saw the installer was in 2011 thanks to RAID and virtualization, this useless message didn't annoy me before F36
In that case I think that you should consider changing the authselect profile from sssd to minimal, as that would remove any pam_sss requirement from the common PAM stack files. Thus, stopping the error messages that you complain about. This will change your PAM stack so be careful.
this ignorance makes me sick and tired - sssd is now how many years part of the "default install" and now tih F36 you start to spam logs when one don't need that useless bloatware to gain what?
and why in the world do you need to touch /etc/nsswitch.conf which has "chattr +i" becasue all the years some sonsense altrered it unasked? [root@testserver:~]$ authselect select minimal [error] [/etc/nsswitch.conf] is not a symbolic link! [error] [/etc/nsswitch.conf] was not created by authselect! [error] [/etc/dconf/db/distro.d/20-authselect] does not exist! [error] [/etc/dconf/db/distro.d/20-authselect] was not created by authselect! [error] [/etc/dconf/db/distro.d/locks/20-authselect] does not exist! [error] [/etc/dconf/db/distro.d/locks/20-authselect] was not created by authselect! [error] Changes to the authselect configuration were detected. These changes will be overwritten. Please call 'authselect opt-out' in order to keep them. [error] Unable to overwrite file [/etc/nsswitch.conf] [1]: Operation not permitted [error] Unable to create symbolic links [1]: Operation not permitted [error] Unable to activate profile [minimal] [1]: Operation not permitted Unable to activate profile [1]: Operation not permitted
and prettry sure it has nothing to do with the config there is no reference with "sss" in /etc/authselect nor in /etc/pam for the sake of god just SHUT UP in case of "dlopen(/usr/lib64/security/pam_sss.so)" and whatever could be optionally dl-opened the whole purpose of dlopen is NOT to link and require something unconditional [root@testserver:/etc/pam.d]$ cat * | grep sss cat: smtp: No such file or directory [root@testserver:/etc/pam.d]$ cd /etc/authselect/ [root@testserver:/etc/authselect]$ cat * | grep sss cat: custom: Is a directory
The mentioned error lines only appear when trying to load a module, and a module is only loaded if it is mentioned in the PAM stack. So, how is it that your PAM stack is empty of any reference to pam_sss and that PAM is still trying to load it?
dunno what happens here but "authselect select minimal" just don't work when /etc/nsswitch.conf is a file and for good reasons has the immutable-flag because i got sick and tried over the years that it was touched randomly and my configs date back way longer than "authselect" existed at all
I've been reviewing this bugzilla and I've discovered something that I overlooked the first time. In https://bugzilla.redhat.com/show_bug.cgi?id=2136047#c6 you are searching for any occurrence of sss in /etc/pam.d and the search fails: [root@testserver:/etc/pam.d]$ cat * | grep sss cat: smtp: No such file or directory Can you check what happens with smtp? Or at least search for sss in another way (grep -R "sss" /etc/pam.d/)?
i cleaned that all up on any machine i maintain and hopefully "authselect opt-out" and the empty "/etc/authselect/" will stay that way after future updates one part of the problems is pretty sure that on Fedora 36 you no longer can uninstall "authselect" and so it was pulled by the dist-upgrade while i unistalled it years ago by intention everywhere [root@srv-rhsoft:~]$ rpm -e authselect error: Failed dependencies: authselect >= 1.3 is needed by (installed) pam-1.5.2-13.fc36.x86_64 authselect is needed by (installed) nss-mdns-0.15.1-5.fc36.x86_64
So, just to be clear. Does the problem persist and you see log errors of pam_sss missing on your system?
after the complete cleanup all is fine but given that "authselect opt-out" removes everything from /etc/authselect expcept a empty directory and two useless nsswitch-files i hope that stuff won't come back with the next "authselect" package update - in a perfct world the whole package would still be optional as it's not needed on most setups at all i cleaned everything in /etc/pma.d by hand (once again)
In that case I'm closing this bugzilla. Feel free to reopen it if the problem happens again.
as i feared after upgrading a F35 machine with empty "/etc/authselect/" and for sure no sss-line in /etc/pam.d/ to F36 the same issue how can i *really* opt-out once and forever from "authselect"? [root@buildserver:~]$ ls /etc/authselect/ total 40K drwxr-xr-x 2 root root 4.0K 2022-05-12 11:54 custom -rw-r--r-- 1 root root 423 2022-11-21 13:18 dconf-db -rw-r--r-- 1 root root 452 2022-11-21 13:18 dconf-locks -rw-r--r-- 1 root root 332 2022-11-21 13:18 fingerprint-auth -rw-r--r-- 1 root root 2.1K 2022-11-21 13:18 password-auth -rw-r--r-- 1 root root 587 2022-11-21 13:18 postlogin -rw-r--r-- 1 root root 332 2022-11-21 13:18 smartcard-auth -rw-r--r-- 1 root root 2.1K 2022-11-21 13:18 system-auth -rw-r--r-- 1 root root 25 2022-11-21 13:18 authselect.conf -rw-r--r-- 1 root root 671 2022-11-21 13:18 nsswitch.conf [root@buildserver:/etc/pam.d]$ cat * | grep sss auth sufficient pam_sss.so forward_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so auth sufficient pam_sss.so forward_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so [root@buildserver:/etc/pam.d]$ rpm -qa | grep sss [root@buildserver:/etc/pam.d]$ [root@buildserver:~]$ locate pam_sss.so [root@buildserver:~]$
"authselect opt-out" is the suggested solution to disable authselect in an environment as it is explained in https://fedoraproject.org/wiki/Changes/Authselect_Require_explicit_opt-out @pbrezina can you help us?
maybe "authselect opt-out" just don't work when "authselect" was completly removed and is pulled for reasons only god knows later due updates this wasn't the case before F36 and i can't even remotely understand why pam requires authselect at all because it sounds like the tail is waving with the dog [root@buildserver:~]$ rpm -e authselect error: Failed dependencies: authselect >= 1.3 is needed by (installed) pam-1.5.2-13.fc36.x86_64
Fedora 36 has implemented a change which make one-time opt-in for all users. See https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory So when you upgraded from F35 to F36 you were automatically opted-in to authselect. If you now opt-out, it will stay like that forever.