Bug 594750 - authconfig CLI fails to set up sssd for ldap but GUI works
Summary: authconfig CLI fails to set up sssd for ldap but GUI works
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-21 14:00 UTC by Paul Howarth
Modified: 2010-06-10 15:53 UTC (History)
1 user (show)

Fixed In Version: authconfig-6.1.6-1.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 15:53:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Paul Howarth 2010-05-21 14:00:35 UTC 
* Fresh Fedora 13 install from DVD, with language and keyboard settings UK.
 * Create local user "dummy" at firstboot since there is no network at this point
 * Login as "dummy"
 * Enable the network
 * Start a root shell
 * yum update
 * yum --enablerepo=updates-testing update auth\*

At this point I have:
  authconfig-6.1.4-2.fc13.x86_64
  authconfig-gtk-6.1.4-2.fc13.x86_64

Default settings:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is enabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


I now try to set up ldap auth in the time-honoured way:
# authconfig \
  --enableldap \
  --enableldapauth \
  --ldapserver=ldap://ldap.virtensys.com/ \
  --ldaploadcacert=http://download.virtensys.com/virtensys-ca.crt \
  --enableldaptls \
  --ldapbasedn=dc=virtensys,dc=com \
  --disablefingerprint \
  --updateall
Starting sssd:                                             [FAILED]


The stock sssd.conf is untouched:
# ls -lrt /etc/sssd
total 12
-rw-------. 1 root root 2829 Apr  2 16:56 sssd.conf
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d


Authconfig does know what the config is *supposed* to be though:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


If I now fire up the GUI, don't make any changes and click "Apply", it springs into life:
# authconfig-gtk
Starting sssd:                                             [  OK  ]
# ls -lrt /etc/sssd
total 12
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d
-rw-------. 1 root root 3191 May 21 14:39 sssd.conf
Comment 1 Tomas Mraz 2010-05-21 14:24:37 UTC 
Use --update instead of --updateall as a workaround.
Note You need to log in before you can comment on or make changes to this bug.