Bug 874527 - sssd.conf generated from scratch is invalid
Summary: sssd.conf generated from scratch is invalid
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: authconfig
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: ---
Assignee: Tomas Mraz
QA Contact: Iveta Wiedermann
Depends On:
Blocks: 881827
TreeView+ depends on / blocked
Reported: 2012-11-08 11:42 UTC by Nikolai Kondrashov
Modified: 2018-12-01 16:18 UTC (History)
5 users (show)

Fixed In Version: authconfig-6.1.12-13.el6
Doc Type: Bug Fix
Doc Text:
Cause: When --enablesssd or --enablesssdauth options were used with authconfig, it could write an incomplete sssd.conf file. Consequence: The sssd daemon would fail to start. Fix: Authconfig no longer tries to create the sssd.conf file if it does not have complete information to create a sssd domain. Result: There is no failure of sssd start when authconfig updates the system configuration. System administrator must properly manually configure and start sssd if he uses the --enablesssd or --enablesssdauth options with authconfig.
Clone Of:
Last Closed: 2013-02-21 11:02:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0486 normal SHIPPED_LIVE authconfig bug fix update 2013-02-20 21:06:28 UTC

Description Nikolai Kondrashov 2012-11-08 11:42:12 UTC
Description of problem:
an sssd.conf generated by authconfig from scratch is invalid.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. rm -f /etc/sssd/sssd.conf
2. authconfig --updateall --enablesssd --enablesssdauth
Actual results:
Starting sssd:                                             [FAILED]

Expected results:
Starting sssd:                                             [OK]

However, it would be better if authconfig didn't reproduce service restart output at all, but instead output an error message and returned a non-successfull exit status.

Additional info:
sssd.conf generated by authconfig:


cache_credentials = True
services = nss, pam
config_file_version = 2

domains = 






Comment 2 Tomas Mraz 2012-11-08 12:34:18 UTC
Authconfig probably shouldn't create sssd.conf at all in this case (when enablesssd and/or enablesssdauth is used).

Comment 3 Tomas Mraz 2012-11-12 19:49:26 UTC
Also authconfig in this case (using the explicit sssd enabledment with --enablesssd or --enablesssdauth) should not try to restart the sssd.

Comment 5 Tomas Mraz 2012-11-13 16:26:12 UTC
Summarizing what will be the fix:

In the case the explicit (not implicit) sssd support is enabled with --enablesssd or --enablesssdauth, authconfig will not write the sssd.conf file and will not try to restart the sssd.

Comment 8 Nikolai Kondrashov 2012-12-03 16:25:51 UTC
Authconfig still creates sssd.conf and restarts sssd when invoked as "authconfig --updateall --enablesssd --enablesssdauth", if sssd.conf doesn't exist

Verified with authconfig-6.1.12-12.el6.x86_64.

Comment 9 Tomas Mraz 2012-12-04 07:35:07 UTC
Can you please attach the output of 'authconfig --test' here?

Comment 10 Nikolai Kondrashov 2012-12-04 14:18:31 UTC
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is enabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

Comment 11 Tomas Mraz 2012-12-05 15:16:33 UTC
The fix was incomplete. Fixed.
Thanks for testing.

Comment 13 Nikolai Kondrashov 2012-12-07 11:09:40 UTC
Verified fixed in authconfig-6.1.12-13.el6.x86_64.

Comment 16 errata-xmlrpc 2013-02-21 11:02:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.