Description of problem: I have a manually configured /etc/pam.d/system-auth (it is not a symlink to system-auth-ac). If systemd is upgraded automatically or manually the install script insists on running authconfig if system-auth is not a symlink, thus causing my deliberately modified systemd-auth (and password-auth and nsswitch.conf sssd.conf etc) to be overwritten. Users then can't log in, which is most unfriendly. Version-Release number of selected component (if applicable): systemd-37-19.fc16.x86_64 How reproducible: Always Steps to Reproduce: 1. Remove /etc/pam.d/system-auth 2. Copy /etc/pam.d/system-auth-ac to /etc/pam.d/system-auth 3. Modify /etc/pam.d/system-auth (adding a comment will do) 4. Re-install systemd Actual results: The change made in step 3 (above) disaoppears. Expected results: The change made in step 3 (above) should not disappear. Additional info: Un-installing authconfig seems like the right thing to do but systemd depends on authconfig. The authconfig installation itself preserves these files with %config(noreplace) in the spec file. Unfortunately systemd stomps all over them. The systemd install script has if ! /bin/grep -q pam_systemd /etc/pam.d/system-auth-ac >/dev/null 2>&1 || ! [ -h /etc/pam.d/system-auth ] ; then I think it should be something like if ! /bin/grep -q pam_systemd /etc/pam.d/system-auth-ac >/dev/null 2>&1 && [ -h /etc/pam.d/system-auth ] ; then Although even this is not quite right. Authconfig can change multiple config files and maybe a system administrator has left system-auth as a symbolic link, but changed one of the other files. Perhaps the onus is on the sysadmin not to leave these links in place, but personally I think it would be better to remove authconfig as a requirement and only run it if it exists. A warning if system-auth does not include pam_systemd might be nice. Why not just use authconfig? a) I need to work around peculiarities of the local corporate environment; and b) some interesting pam modules (eq pam_time) are not supported through authconfig. I expect that authconfig will always be less flexible than manual configuration.
A workaround could be to save your configuration as /etc/pam.d/system-auth-mine and make /etc/pam.d/system-auth a symlink to it. According to "man authconfig", authconfig will not relink it if the symlink points to another file than system-auth-ac. We added the symlink check as a fix for bug 753160. A related bug is being discussed: bug 815413.
As Michal said, if you need to customize your system-auth/password-auth... files so authconfig does not touch them, you have to follow the recommendation in the system-auth-ac(5) manual page. This is clearly a NOTABUG.
Thanks for the quick response. I had read system-auth-ac.5 but misinterpreted it to mean "authconfig will only tamper with the *-ac files", in which case replacing the symlink with a plain file would have worked. My mistake. It still seems a bit cavalier for the systemd install to go running authconfig without checking it is harmless. There are ways this could go wrong. For example, if system-auth is a symlink to system-auth.local and system-auth-ac (which is not actually being used, remember) either doesn't exist or doesn't have pam_systemd in it. Then authconfig will run. It will leaves system-auth alone, but it will stomp all over the OTHER config files like /etc/sssd.conf or /etc/nsswitch.conf. Sure I can "fix this" by making sure there IS an system-auth-ac file with at least the string "pam_systemd" in it, but this isn't very robust. It means I have to be constantly on top of the install scripts for all of the packages to make sure there is not some other magic string going to be expected by this or some other package in the future. I'd really like a "don't ever use authconfig automatically" type of option as an enhancement to authconfig or else for systemd to not require authconfig as a dependency.
The calls to authconfig have been removed from systemd scriptlets in Rawhide. Scriptlets in F16, F17 will have to remain as they are.
*** Bug 839696 has been marked as a duplicate of this bug. ***