Bug 605857 - Add --enable/disableforcelegacy option to authconfig
Add --enable/disableforcelegacy option to authconfig
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature, Reopened
: 610818 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-18 19:37 EDT by Steve Bennett
Modified: 2010-08-23 21:36 EDT (History)
2 users (show)

See Also:
Fixed In Version: authconfig-6.1.8-1.fc14
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-23 21:36:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Bennett 2010-06-18 19:37:15 EDT
Description of problem:

SSSD does not currently work well enough with MS Active Directory for our purposes. We have an existing Kerberos/LDAP configuration which suits us, but we wish to install systems with Fedora 13 and kickstart.

If authconfig is used to configure network authentication/authorization during a kickstart install, it appears to always use SSSD, even if that subsystem is explicitly disabled with '--disablesssd' or --disablesssdauth', authconfig always configures /etc/nsswitch.conf and /etc/pam.d/system-auth to use SSSD.

Version-Release number of selected component (if applicable):
    authconfig-6.1.4-2.fc13.i686

How reproducible:
Install system using the following in ks.cfg
    authconfig --enableshadow --enablemd5 --enablecache --enableldap --enablekrb5 --disablesssd --disablesssdauth

Actual results:
/etc/nsswitch.conf contains entries:
    passwd:     files sss
    shadow:     files sss
    group:      files sss
/etc/pam.d/system-auth contains entries
    auth        sufficient    pam_sss.so use_first_pass

Expected results:
/etc/nsswitch.conf contains entries:
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap

/etc/pam.d/system-auth contains entries
    auth        sufficient    pam_krb5.so use_first_pass

Additional info:
authconfig worked as expected in Fedora 12.
Comment 1 Tomas Mraz 2010-06-21 02:57:08 EDT
You can force the legacy services with putting FORCELEGACY=yes to /etc/sysconfig/authconfig and running authconfig --updateall
Comment 2 Steve Bennett 2010-06-21 04:25:59 EDT
(In reply to comment #1)
> You can force the legacy services with putting FORCELEGACY=yes to
> /etc/sysconfig/authconfig and running authconfig --updateall    

Great News! I'll try this out. Is it documented anywhere?
Comment 3 Tomas Mraz 2010-06-21 05:04:13 EDT
Not yet. I'll add it to the authconfig manpage.
Comment 4 Steve Bennett 2010-06-24 06:02:38 EDT
Sorry for not replying immediately. I've just tried your suggestion and it appears to work - thanks!

Can you suggest how this workaround can be used during a Kickstart installation?
The best solution I can come up with is to apply it as a post-install action, which seems slightly ugly - is there a better way?

BTW What do the "--disablesssd" and "--disablesssdauth" options do, if they don't disable SSSD?
Comment 5 Tomas Mraz 2010-06-24 06:18:58 EDT
They are opposite of the --enablesssd and --enablesssdauth. That is they clear these flags that basically say 'I want to configure sssd in nsswitch.conf and pam.d/system-auth... but I don't want authconfig to mess with /etc/sssd/sssd.conf'.

As for the kickstart - you need to somehow modify the /etc/sysconfig/authconfig prior to the first run of authconfig. I am not an expert on kickstarts so I can't say this is possible. Perhaps a custom rpm package could be used for that but I suppose you would not like this solution either.

So the only possiblity would be to add --enableforcelegacy/disableforcelegacy options to authconfig, I can take it as RFE.
Comment 6 Steve Bennett 2010-06-24 06:27:16 EDT
> They are opposite of the --enablesssd and --enablesssdauth.
> That is they clear these flags that basically say 'I want
> to configure sssd in nsswitch.conf and pam.d/system-auth...
> but I don't want authconfig to mess with /etc/sssd/sssd.conf'.

Well that comes back to my original bug report then. nsswitch.conf and pam.d/system-auth get updated for SSSD regardless. The "--disablesssd" and "--disablesssdauth" options have no effect that I can see.

> So the only possiblity would be to add --enableforcelegacy/disableforcelegacy
> options to authconfig, I can take it as RFE.

Yes please!
Comment 7 Tomas Mraz 2010-06-24 07:15:17 EDT
Maybe I did not state it clearly above - the --disablesssd.... options are reverse of --enablesssd.... and not a mean of disabling the implicit SSSD support in authconfig.

OK, let's reopen this as RFE.
Comment 8 Tomas Mraz 2010-07-07 04:13:59 EDT
*** Bug 610818 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2010-08-10 11:57:24 EDT
authconfig-6.1.8-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/authconfig-6.1.8-1.fc14
Comment 10 Fedora Update System 2010-08-10 22:56:15 EDT
authconfig-6.1.8-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update authconfig'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/authconfig-6.1.8-1.fc14
Comment 11 Fedora Update System 2010-08-23 21:36:27 EDT
authconfig-6.1.8-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.