Bug 590447 - After a brand new install from live DVD, can't login to Windows AD
Summary: After a brand new install from live DVD, can't login to Windows AD
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-09 15:47 UTC by Oded Arbel
Modified: 2010-10-11 19:26 UTC (History)
3 users (show)

Fixed In Version: authconfig-6.1.11-1.fc15
Doc Type: Enhancement
Doc Text:
Clone Of:
: 590617 (view as bug list)
Last Closed: 2010-10-11 19:26:50 UTC
Type: ---

Attachments (Terms of Use)

Description Oded Arbel 2010-05-09 15:47:07 UTC
Description of problem:
After a brand new installation of Fedora 13 (Live DVD beta ISO as downloaded from "Get Fedora"), in the first run wizard I configured Fedora to use ADS authentication against my PDC.

After the wizard completes, I cannot log in to the system using AD users.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install a new Fedora 13 on an empty machine
2. Configure MS-Windows domain authentication using ads
3. Try to log in using an AD user
Actual results:
Get "authentication failure" message

Expected results:
Should be able to log in

Additional info:
The join process has completed successfully, and can be tested by running 'net -u Administrator join status' (after installing samba-winbind and samba-common), but 'wbinfo' failed to get any results. The problem seems to be that the winbind service was not running, though it must be running for pam_winbind to successfully authenticate.

Worse - the default installation installs only samba-winbind-clients which does not include the service and thus a default installation cannot really authenticate against a Windows domain.

In order to workaround the issue, you have to manually install samba-winbind, then manually start the service, and finally you should manually set the winbind service to run when the system starts by executing 'chkconfig winbind on' (otherwise you won't be able to log on after a system restart).

The authconfig wizard should make sure that if the user chooses Windows domain authentication that the correct packages are installed, that the winbind service is in the run level configuration and that it is running - all this before completing the set up process and continuing to the log in screen.

This may only be relevant to the Live DVD installer - I have not tested the installation DVD, though I will soon.

Comment 1 Simo Sorce 2010-05-09 16:27:54 UTC
Looks like an authconfig bug.

Comment 2 Tomas Mraz 2010-05-10 08:45:16 UTC
Not a bug. This is a feature request for authconfig to be able to install packages missing for requested functionality.

Comment 3 Tomas Mraz 2010-05-10 08:45:57 UTC
Workaround would be to add the necessary packages to comps as default.

Comment 4 Oded Arbel 2010-05-10 09:43:22 UTC
I hardly see this issue as a feature request - the system allows the user to configured AD login, and gives no notification that additional work is needed, but the log in will not work.

100% of users that configured AD login will not succeed logging in and will receive no help from the system or documentation on what to do. This is definitely a bug. 

There are actually two distinct issues here:
1. samba-winbind which is a pre-requisite to get winbind based logins to work is not installed by default, instead you get something called samba-winbind-clients which I'm not really sure is very useful on its own. I have to question why the winbind client libraries are in a separate package as its quite obvious you must have a winbind daemon running on the local machine in order to make use of the client libraries.
2. authconfig completes the setup process for winbind logins without making sure that the winbind service is running and will be running on the next system reboot.

I would have handled problem 1 in either managing software dependencies so that authconfig requires samba-winbind; or have authconfig detect if the winbind service is available and not offer to configure winbind login unless it is available.

Once problem 1 is solved, you can fix problem 2 by making sure that when the user confirms the winbind login configuration, authconfig will start the winbind service and add it the runlevel.

Comment 5 Tomas Mraz 2010-05-10 09:50:03 UTC
Authconfig will do the 2. in case the winbind daemon is installed.

Authconfig will not directly depend on winbind as I do not want to pull it in unconditionally as it can setup also other authentication/userid services.

In case the samba-winbind-clients is not really usable on its own it should really require samba-winbind and thus this problem would be solved this way.

Or you can request adding samba-winbind to comps as default.

The feature request is for authconfig to install the required packages if they are missing.

Comment 6 Oded Arbel 2010-05-10 10:28:01 UTC
Thanks. What do you expect to be the schedule for this feature? From the "FutureFeature" keyword I understand that it won't be ready for Fedora 13?

I'll file a separate bug to handle the samba-winbind-clients vs. samba-winbind situation in comps, as it appears that nothing (except samba-winbind) actually requires samba-winbind-clients and from that I understand that the reason that package is included in the live DVD is that someone though its enough to do AD auth.

Comment 7 Oded Arbel 2010-05-10 10:34:16 UTC
One more question though - shouldn't authconfig report a problem if winbind authentication is configured and it doesn't manage to start the winbind service (e.g. due to it being missing)?

That way at least the user will not that their configuration did not succeed and has a good idea where to look for a solution.

Comment 8 Tomas Mraz 2010-05-10 10:38:30 UTC
It probably should report that winbind is missing - currently it checks only for the libnss_winbind and pam_winbind libraries.

The schedule is definitely F14 or later given other work constraints.

F13 is basically done at this point.

Comment 9 Tomas Mraz 2010-10-11 19:26:50 UTC
Authconfig GUI now disallows setting identity and authentication methods with missing critical files.

Note You need to log in before you can comment on or make changes to this bug.