This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 594750 - authconfig CLI fails to set up sssd for ldap but GUI works
authconfig CLI fails to set up sssd for ldap but GUI works
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-21 10:00 EDT by Paul Howarth
Modified: 2010-06-10 11:53 EDT (History)
1 user (show)

See Also:
Fixed In Version: authconfig-6.1.6-1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-10 11:53:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Paul Howarth 2010-05-21 10:00:35 EDT
* Fresh Fedora 13 install from DVD, with language and keyboard settings UK.
 * Create local user "dummy" at firstboot since there is no network at this point
 * Login as "dummy"
 * Enable the network
 * Start a root shell
 * yum update
 * yum --enablerepo=updates-testing update auth\*

At this point I have:
  authconfig-6.1.4-2.fc13.x86_64
  authconfig-gtk-6.1.4-2.fc13.x86_64

Default settings:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is enabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


I now try to set up ldap auth in the time-honoured way:
# authconfig \
  --enableldap \
  --enableldapauth \
  --ldapserver=ldap://ldap.virtensys.com/ \
  --ldaploadcacert=http://download.virtensys.com/virtensys-ca.crt \
  --enableldaptls \
  --ldapbasedn=dc=virtensys,dc=com \
  --disablefingerprint \
  --updateall
Starting sssd:                                             [FAILED]


The stock sssd.conf is untouched:
# ls -lrt /etc/sssd
total 12
-rw-------. 1 root root 2829 Apr  2 16:56 sssd.conf
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d


Authconfig does know what the config is *supposed* to be though:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


If I now fire up the GUI, don't make any changes and click "Apply", it springs into life:
# authconfig-gtk
Starting sssd:                                             [  OK  ]
# ls -lrt /etc/sssd
total 12
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d
-rw-------. 1 root root 3191 May 21 14:39 sssd.conf
Comment 1 Tomas Mraz 2010-05-21 10:24:37 EDT
Use --update instead of --updateall as a workaround.

Note You need to log in before you can comment on or make changes to this bug.