Bug 717300 - Authconfig falsely require nss_ldap for FreeIPA
Authconfig falsely require nss_ldap for FreeIPA
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
15
Unspecified Linux
unspecified Severity high
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-28 10:22 EDT by Stephen Gallagher
Modified: 2011-07-27 04:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-27 04:37:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2011-06-28 10:22:50 EDT
Description of problem:
When selecting User Account Database = FreeIPA, an error message appears:

The /lib64/libnss_ldap.so.2 file was not found, but it is required for FreeIPA support to work properly.
Install the nss-pam-ldapd package, which provides this file.


Version-Release number of selected component (if applicable):
authconfig-6.1.14-2.fc15.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Do not have nss-pam-ldapd installed
2. Select FreeIPA
  
Actual results:
The above error message is printed

Expected results:
Authconfig should be using SSSD for this.

Additional info:
Comment 1 Tomas Mraz 2011-06-28 10:44:01 EDT
What prints 'authconfig --test' ?
Comment 2 Stephen Gallagher 2011-06-28 10:52:24 EDT
[root@sgallagh520 ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.bos.redhat.com  ldap://ldap.corp.redhat.com"
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is enabled
 krb5 realm = "REDHAT.COM"
 krb5 realm via dns is enabled
 krb5 kdc = "kerberos.bos.redhat.com,,kerberos.corp.redhat.com"
 krb5 kdc via dns is enabled
 krb5 admin server = "kerberos.corp.redhat.com"
pam_ldap is disabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.bos.redhat.com  ldap://ldap.corp.redhat.com"
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is enabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Comment 3 Tomas Mraz 2011-06-28 15:14:11 EDT
Hmm, this seems to be related to the 'nss_sss is enabled by default' and 'pam_sss is enabled by default'. These should be actually disabled.

Can you please 'authconfig --disablesssd --disablesssdauth --update' and then again try to set the FreeIPA through the GUI whether the message will still appear?
Comment 4 Stephen Gallagher 2011-06-29 08:44:24 EDT
Yup, the message still appears after I do this. The output of authconfig --test had changed to:


[root@sgallagh520 ~]# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com"
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is enabled
 krb5 realm = "REDHAT.COM"
 krb5 realm via dns is enabled
 krb5 kdc = "kerberos.bos.redhat.com,kerberos.corp.redhat.com"
 krb5 kdc via dns is enabled
 krb5 admin server = "kerberos.corp.redhat.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com"
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Comment 5 Tomas Mraz 2011-06-29 08:59:14 EDT
This is caused by the krb5 realm via dns is enabled - this is (perhaps was not) supported by the sssd. Is the situation now different and SSSD supports it?

(That's the Use DNS to resolve hosts to realms checkbox in the GUI.)
Comment 6 Stephen Gallagher 2011-06-29 09:06:32 EDT
No, we don't support it. I also don't recall ever setting that checkbox, which is strange in and of itself. Is that checkbox perhaps set by default?

Of note, we DO support using SRV records to locate KDCs for realms. I don't know if authconfig is aware of that. (Probably a separate bug if not).
Comment 7 Tomas Mraz 2011-06-29 09:32:08 EDT
That(In reply to comment #6)
> No, we don't support it. I also don't recall ever setting that checkbox, which
> is strange in and of itself. Is that checkbox perhaps set by default?

It depends on the default contents of the krb5.conf file.

> Of note, we DO support using SRV records to locate KDCs for realms. I don't
> know if authconfig is aware of that. (Probably a separate bug if not).

Yes, this should work with authconfig.

Note You need to log in before you can comment on or make changes to this bug.