605857 – Add --enable/disableforcelegacy option to authconfig

Bug 605857 - Add --enable/disableforcelegacy option to authconfig

Summary: Add --enable/disableforcelegacy option to authconfig

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	authconfig
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	610818 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-18 23:37 UTC by Steve Bennett
Modified:	2010-08-24 01:36 UTC (History)
CC List:	2 users (show)
Fixed In Version:	authconfig-6.1.8-1.fc14
Clone Of:
Environment:
Last Closed:	2010-08-24 01:36:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve Bennett 2010-06-18 23:37:15 UTC

Description of problem:

SSSD does not currently work well enough with MS Active Directory for our purposes. We have an existing Kerberos/LDAP configuration which suits us, but we wish to install systems with Fedora 13 and kickstart.

If authconfig is used to configure network authentication/authorization during a kickstart install, it appears to always use SSSD, even if that subsystem is explicitly disabled with '--disablesssd' or --disablesssdauth', authconfig always configures /etc/nsswitch.conf and /etc/pam.d/system-auth to use SSSD.

Version-Release number of selected component (if applicable):
    authconfig-6.1.4-2.fc13.i686

How reproducible:
Install system using the following in ks.cfg
    authconfig --enableshadow --enablemd5 --enablecache --enableldap --enablekrb5 --disablesssd --disablesssdauth

Actual results:
/etc/nsswitch.conf contains entries:
    passwd:     files sss
    shadow:     files sss
    group:      files sss
/etc/pam.d/system-auth contains entries
    auth        sufficient    pam_sss.so use_first_pass

Expected results:
/etc/nsswitch.conf contains entries:
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap

/etc/pam.d/system-auth contains entries
    auth        sufficient    pam_krb5.so use_first_pass

Additional info:
authconfig worked as expected in Fedora 12.

Comment 1 Tomas Mraz 2010-06-21 06:57:08 UTC

You can force the legacy services with putting FORCELEGACY=yes to /etc/sysconfig/authconfig and running authconfig --updateall

Comment 2 Steve Bennett 2010-06-21 08:25:59 UTC

(In reply to comment #1)
> You can force the legacy services with putting FORCELEGACY=yes to
> /etc/sysconfig/authconfig and running authconfig --updateall    

Great News! I'll try this out. Is it documented anywhere?

Comment 3 Tomas Mraz 2010-06-21 09:04:13 UTC

Not yet. I'll add it to the authconfig manpage.

Comment 4 Steve Bennett 2010-06-24 10:02:38 UTC

Sorry for not replying immediately. I've just tried your suggestion and it appears to work - thanks!

Can you suggest how this workaround can be used during a Kickstart installation?
The best solution I can come up with is to apply it as a post-install action, which seems slightly ugly - is there a better way?

BTW What do the "--disablesssd" and "--disablesssdauth" options do, if they don't disable SSSD?

Comment 5 Tomas Mraz 2010-06-24 10:18:58 UTC

They are opposite of the --enablesssd and --enablesssdauth. That is they clear these flags that basically say 'I want to configure sssd in nsswitch.conf and pam.d/system-auth... but I don't want authconfig to mess with /etc/sssd/sssd.conf'.

As for the kickstart - you need to somehow modify the /etc/sysconfig/authconfig prior to the first run of authconfig. I am not an expert on kickstarts so I can't say this is possible. Perhaps a custom rpm package could be used for that but I suppose you would not like this solution either.

So the only possiblity would be to add --enableforcelegacy/disableforcelegacy options to authconfig, I can take it as RFE.

Comment 6 Steve Bennett 2010-06-24 10:27:16 UTC

> They are opposite of the --enablesssd and --enablesssdauth.
> That is they clear these flags that basically say 'I want
> to configure sssd in nsswitch.conf and pam.d/system-auth...
> but I don't want authconfig to mess with /etc/sssd/sssd.conf'.

Well that comes back to my original bug report then. nsswitch.conf and pam.d/system-auth get updated for SSSD regardless. The "--disablesssd" and "--disablesssdauth" options have no effect that I can see.

> So the only possiblity would be to add --enableforcelegacy/disableforcelegacy
> options to authconfig, I can take it as RFE.

Yes please!

Comment 7 Tomas Mraz 2010-06-24 11:15:17 UTC

Maybe I did not state it clearly above - the --disablesssd.... options are reverse of --enablesssd.... and not a mean of disabling the implicit SSSD support in authconfig.

OK, let's reopen this as RFE.

Comment 8 Tomas Mraz 2010-07-07 08:13:59 UTC

*** Bug 610818 has been marked as a duplicate of this bug. ***

Comment 9 Fedora Update System 2010-08-10 15:57:24 UTC

authconfig-6.1.8-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/authconfig-6.1.8-1.fc14

Comment 10 Fedora Update System 2010-08-11 02:56:15 UTC

authconfig-6.1.8-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update authconfig'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/authconfig-6.1.8-1.fc14

Comment 11 Fedora Update System 2010-08-24 01:36:27 UTC

authconfig-6.1.8-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.