Red Hat Bugzilla – Bug 867473
Always include sss in /etc/nsswitch.conf
Last modified: 2016-11-24 07:33:36 EST
In Fedora 17 and 18 we have a problem where remote users are unable to log in until the machine has been rebooted. This used to work previously. To fix this we probably need to:
Include 'sss' in /etc/nsswitch.conf by default and have the small sssd-client package (with just thepam, nss plugins) installed on all but minimal Fedora installs.
This happens after configuration using authconfig to change /etc/nsswitch.conf (or doing it manually). The changes are not picked up by long running processes like dbus-daemon --system. As far as I can see dbus-daemon then refuses to allow connections from these users. As might be expected, gnome-shell crashes hard when this happens.
There are some other ways to fix this problem, but these do not scale to fix the problem for every possible affected process:
I'm filing this against the authconfig component, but in reality I think it affects more things like comps and anaconda.
* This should be ideally run on a freshly installed system or at
least a system without sss in /etc/nsswitch.conf since last boot.
$ grep sss /etc/nsswitch.conf && "ALREADY HAVE sss"
$ sudo -s
# yum install sssd-tools pamtester
# test -f /etc/sssd/sssd.conf && mv /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak
# echo -e "[sssd]\ndomains=local\nconfig_file_version=2\nservices=nss,pam\n[domain/local]\nid_provider=local" > /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# systemctl start sssd.service
# authconfig --update --enablesssd --enablesssdauth
# sss_useradd --uid=2121 --gecos=Zapp zapp
# passwd zapp # set password for zapp
# pamtester zapp authenticate # type password, should succeed
* Now go to gdm by logging out or switch user.
* Try to log in as zapp.
* Try to log in as zapp.
Stef, this worked previously because Ray and I hacked GDM to call out to the 'id' command in a separate process to look up the users. This worked around the fact that changes to nsswitch.conf weren't applied to running processes.
However, this always basically hid the fact that it wasn't updating systemd, messagebus etc.
This bug doesn't belong to authconfig. It should be reassigned to glibc. There are two ways to fix it. One is to have the Fedora package ship 'sss' as you suggest.
The better solution would be for glibc to provide a mechanism for nsswitch.conf to be reread somehow, though this has been suggested in the past and rebuffed before, because it would require either polling or an inotify watch on the file (or else checking the file directly on every lookup, thereby slowing ID lookups down significantly.
So I suppose a temporary solution would be to put 'sss' in the default config. It will have no effect if SSSD is not installed or not running. (I have tested this just now).
Jeff, I'm trying to generate a patch for this. Wondering where glibc-2.16-75f0d304-fedora.tar.gz comes from? It contains the default nsswitch.conf. Is it in git somewhere?
Or should I instead make a patch?
Created attachment 631443 [details]
f18 branch: Include sss in nsswitch.conf by default
This is a patch to the f18 glibc fedora package.
Created attachment 631478 [details]
f19 branch: Include sss in nsswitch.conf by default
This is a patch to the f19 glibc fedora package
As far as I can tell neither patch does what you claim it does. You claim it adds "sss" to nsswitch.conf. However, both patches simply remove passwd, shadow, group, services and netgroup from nsswitch.conf and do not add sss anywhere.
(In reply to comment #5)
> As far as I can tell neither patch does what you claim it does. You claim
> it adds "sss" to nsswitch.conf. However, both patches simply remove passwd,
> shadow, group, services and netgroup from nsswitch.conf and do not add sss
There's something very strange going on with bugzilla.redhat.com here. It somehow modified my patches.
These are the patches I attached, and can be accessed by clicking on the big descriptive links under the 'Attachments' column in the table above.
For f18: https://bugzilla.redhat.com/attachment.cgi?id=631443
For f19: https://bugzilla.redhat.com/attachment.cgi?id=631478
I have no idea what's going on with the munged patches linked from in comments 3 and 4. :S
It's the &action=diff appearing on the link in c#3 and c#4 that triggers the problem. No clue why though. They're referencing the same underlying attachment, BZ just munges them.
I'll add these to Fedora. We already ship a hacked up nsswitch.conf, so this isn't really going to add to our long term maintenance cost.
nsswitch.conf for F18 and rawhide has been updated. Builds will spin today.
note nss-mdns munges /etc/nsswith.conf hosts line to put
on it (in %post). Two thoughts:
1) is [NOTFOUND=return] important for sss too?
2) Should nsswitch.conf include mdns4_minimal by default as well?
(In reply to comment #9)
> note nss-mdns munges /etc/nsswith.conf hosts line to put
> mdns4_minimal [NOTFOUND=return]
> on it (in %post). Two thoughts:
> 1) is [NOTFOUND=return] important for sss too?
Why? First of all it's last in the list. And secondly, why would we want to not continue to other modules sss returns NOTFOUND?
> 2) Should nsswitch.conf include mdns4_minimal by default as well?
mdns4_minimal [NOTFOUND=return] breaks domains that end in .local, at least it used to. libnss_sss has been designed to not have any impact if sssd is not running, is that the case for libnss_mdns4_minimal?
glibc-2.16-24.fc18 has been submitted as an update for Fedora 18.
glibc-2.16-24.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
I have had to revert the change to nsswitch.conf to workaround an issue causing livecd composes to fail due to the sssd nss library being loaded from the image into the compose process and being unable to successfully compose the Workstation Live
Can you be more specific ?
I am not aware of any issues caused by the nss_sss module
To summarize the discussion we had on IRC just now:
The issue is not specifically with the 'sss' module itself. The issue is that the 'sss' module is lazy-loaded only inside the compose chroot. This results in the system being unable to cleanly unmount the composed filesystem.
There's no inherent bug in the sss module itself, just an unfortunate interaction with other aspects of the compose process.
It's also speculated that this is fallout from the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1089738 as well.
(In reply to Dennis Gilmore from comment #13)
> I have had to revert the change to nsswitch.conf to workaround an issue
> causing livecd composes to fail due to the sssd nss library being loaded
> from the image into the compose process and being unable to successfully
> compose the Workstation Live
I'd like to respectfully request that you restore the old behavior and instead implement the workaround I've proposed in https://bugzilla.redhat.com/show_bug.cgi?id=1127103.
the suggested workaround is not implementable. it needs patches in livecd-creator
Please let's find another workaround, this revert reintroduces a big regression, we have now software counting and depending on sss being already in nsswitch.conf
I've patched the compose tools to preload the sss nss library. and ive added sss back to the default nsswitch.conf file.