Hide Forgot
Description of problem: When selecting User Account Database = FreeIPA, an error message appears: The /lib64/libnss_ldap.so.2 file was not found, but it is required for FreeIPA support to work properly. Install the nss-pam-ldapd package, which provides this file. Version-Release number of selected component (if applicable): authconfig-6.1.14-2.fc15.x86_64 How reproducible: Every time Steps to Reproduce: 1. Do not have nss-pam-ldapd installed 2. Select FreeIPA Actual results: The above error message is printed Expected results: Authconfig should be using SSSD for this. Additional info:
What prints 'authconfig --test' ?
[root@sgallagh520 ~]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com" LDAP base DN = "" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is enabled by default nss_wins is disabled nss_mdns4_minimal is enabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is enabled krb5 realm = "REDHAT.COM" krb5 realm via dns is enabled krb5 kdc = "kerberos.bos.redhat.com,,kerberos.corp.redhat.com" krb5 kdc via dns is enabled krb5 admin server = "kerberos.corp.redhat.com" pam_ldap is disabled LDAP+TLS is enabled LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com" LDAP base DN = "" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is enabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled pam_cracklib is enabled (try_first_pass retry=3 type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled
Hmm, this seems to be related to the 'nss_sss is enabled by default' and 'pam_sss is enabled by default'. These should be actually disabled. Can you please 'authconfig --disablesssd --disablesssdauth --update' and then again try to set the FreeIPA through the GUI whether the message will still appear?
Yup, the message still appears after I do this. The output of authconfig --test had changed to: [root@sgallagh520 ~]# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com" LDAP base DN = "" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is enabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is enabled krb5 realm = "REDHAT.COM" krb5 realm via dns is enabled krb5 kdc = "kerberos.bos.redhat.com,kerberos.corp.redhat.com" krb5 kdc via dns is enabled krb5 admin server = "kerberos.corp.redhat.com" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://ldap.bos.redhat.com ldap://ldap.corp.redhat.com" LDAP base DN = "" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_fprintd is disabled pam_ecryptfs is disabled pam_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled pam_cracklib is enabled (try_first_pass retry=3 type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled
This is caused by the krb5 realm via dns is enabled - this is (perhaps was not) supported by the sssd. Is the situation now different and SSSD supports it? (That's the Use DNS to resolve hosts to realms checkbox in the GUI.)
No, we don't support it. I also don't recall ever setting that checkbox, which is strange in and of itself. Is that checkbox perhaps set by default? Of note, we DO support using SRV records to locate KDCs for realms. I don't know if authconfig is aware of that. (Probably a separate bug if not).
That(In reply to comment #6) > No, we don't support it. I also don't recall ever setting that checkbox, which > is strange in and of itself. Is that checkbox perhaps set by default? It depends on the default contents of the krb5.conf file. > Of note, we DO support using SRV records to locate KDCs for realms. I don't > know if authconfig is aware of that. (Probably a separate bug if not). Yes, this should work with authconfig.