Bug 636324 - authconfig troubles with sssd and ldap
authconfig troubles with sssd and ldap
Status: CLOSED DUPLICATE of bug 578258
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-09-21 18:15 EDT by Orion Poplawski
Modified: 2010-09-24 11:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-09-24 11:53:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2010-09-21 18:15:01 EDT
Description of problem:

Doing F14 installs with my standard F13 kickstart authconfig line:

authconfig --enablemd5 --enableshadow --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldap.cora.nwra.com --ldapbasedn=dc=nwra,dc=com --enableldaptls --ldaploadcacert=http://www.cora.nwra.com/cgi-bin/getca.pl

I end up with a different nsswitch.conf than with F13:

< f13, > f14
< passwd:     files sss
< shadow:     files sss
< group:      files sss
> passwd:     files sss ldap
> shadow:     files sss ldap
> group:      files sss ldap
< hosts:      files mdns4_minimal [NOTFOUND=return] dns
> hosts:      files dns
< netgroup:   files sss
> netgroup:   files ldap ldap
< automount:  files ldap
> automount:  files ldap ldap

And lots of errors in logs:

Sep 21 14:27:00 test kdm: :0[18768]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory
Sep 21 14:27:00 test kdm: :0[18768]: PAM adding faulty module: /lib64/security/pam_ldap.so
Sep 21 14:27:00 test kdm: :0[18768]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=orion
Sep 21 14:27:01 test kdm: :0[18768]: pam_sss(kdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=orion

Sep 21 14:30:01 test crond[18887]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot open shared object file: No such file or directory
Sep 21 14:30:01 test crond[18887]: PAM adding faulty module: /lib64/security/pam_ldap.so

Note that despite the pam_sss success above, kdm fails to log me in.  Perhaps a separate kdm issue?

Version-Release number of selected component (if applicable):
Comment 1 Orion Poplawski 2010-09-21 18:20:28 EDT
system-auth-ac is also different:

< f13, > f14
> auth        sufficient    pam_ldap.so use_first_pass
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> password    sufficient    pam_ldap.so use_authtok
> -session     optional      pam_systemd.so
> session     optional      pam_ldap.so
Comment 2 Tomas Mraz 2010-09-22 02:18:10 EDT
Just remove the --enablesssd --enablesssdauth from your settings above. These options enable the 'explicit sssd support' with user managing sssd.conf by himself.

The only small bug is the double ldap ldap in netgroup and automount lines in /etc/nsswitch.conf.

This is not a F14 blocker.
Comment 3 Orion Poplawski 2010-09-22 16:47:33 EDT
Indeed, that appears to work.  I think a release note may be in order to document this change.
Comment 4 Tomas Mraz 2010-09-23 03:24:21 EDT
I am not sure what would be the Release note content. Can you please open the relnote request and enter the proposed content? Note that even in Fedora 13 the supposed call of authconfig was the same as now. The --enablessd and --enablesssdauth were never supposed to be passed to authconfig if you wanted the implicit SSSD support. However the behavior when --enablesssd and --enablessdauth was added might have been slightly different.

Here you can enter the release note request:

Comment 5 Orion Poplawski 2010-09-24 11:53:20 EDT
Sorry, it appears you documented the correct authconfig line in bug 578258, but I didn't get it right in my kickstarts.

*** This bug has been marked as a duplicate of bug 578258 ***

Note You need to log in before you can comment on or make changes to this bug.