Because of the way that glibc does not reload /etc/nsswitch.conf we decided (back in Fedora 18) to always have 'sss' in /etc/nsswitch.conf. At least until a better fix could be found. It is installed by default by glibc on a newly installed /etc/nsswitch.conf, and should always be present. However ipa-client-install --uninstall removes 'sss' from /etc/nsswitch.conf. This causes problems with later uses of sssd.
[root@stef-redhat data]# rpm -qf /etc/nsswitch.conf glibc-2.17-4.fc19.x86_64 [root@stef-redhat data]# mv /etc/nsswitch.conf /etc/nsswitch.conf.bak mv: overwrite ‘/etc/nsswitch.conf.bak’? yes [root@stef-redhat data]# yum reinstall glibc Loaded plugins: langpacks, refresh-packagekit Resolving Dependencies --> Running transaction check ---> Package glibc.x86_64 0:2.17-4.fc19 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: glibc x86_64 2.17-4.fc19 fedora 3.6 M Transaction Summary ================================================================================ Reinstall 1 Package Total download size: 3.6 M Installed size: 13 M Is this ok [y/N]: y Downloading packages: glibc-2.17-4.fc19.x86_64.rpm | 3.6 MB 00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : glibc-2.17-4.fc19.x86_64 1/1 Verifying : glibc-2.17-4.fc19.x86_64 1/1 Installed: glibc.x86_64 0:2.17-4.fc19 Complete! [stef@stef-redhat projects]$ grep sss /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss services: files sss netgroup: files sss automount: files sss [stef@stef-redhat projects]$ sudo ipa-client-install [sudo] password for stef: WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): ipa.thewalter.lan Discovery was successful! Hostname: stef-redhat.thewalter.lan Realm: IPA.THEWALTER.LAN DNS Domain: ipa.thewalter.lan IPA Server: dc.ipa.thewalter.lan BaseDN: dc=ipa,dc=thewalter,dc=lan Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin.LAN: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.THEWALTER.LAN Issuer: CN=Certificate Authority,O=IPA.THEWALTER.LAN Valid From: Wed Apr 17 12:45:40 2013 UTC Valid Until: Sun Apr 17 12:45:40 2033 UTC Enrolled in IPA realm IPA.THEWALTER.LAN Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.THEWALTER.LAN trying https://dc.ipa.thewalter.lan/ipa/xml Forwarding 'env' to server u'https://dc.ipa.thewalter.lan/ipa/xml' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://dc.ipa.thewalter.lan/ipa/xml' host_mod: 2.57 client incompatible with 2.47 server at u'https://dc.ipa.thewalter.lan/ipa/xml' Failed to upload host SSH public keys. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [stef@stef-redhat projects]$ sudo ipa-client-install --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. The original nsswitch.conf configuration has been restored. You may need to restart services or reboot the machine. Do you want to reboot the machine? [no]: no [stef@stef-redhat projects]$ grep sss /etc/nsswitch.conf [stef@stef-redhat projects]$ echo $? 1
'sss' has been incorrectly removed from /etc/nsswitch.conf even though ipa-client-install claims to have restored it. Discussion: http://lists.fedoraproject.org/pipermail/devel/2012-October/172688.html glibc bug which implements the 'sss' by default behavior: https://bugzilla.redhat.com/show_bug.cgi?id=867473
I reproduced this issue too: # cp /etc/nsswitch.conf /etc/nsswitch.conf.pre-install # ipa-client-install ... # diff /etc/nsswitch.conf /etc/nsswitch.conf.pre-install 36c36 < #initgroups: files --- > initgroups: files 58c58 < netgroup: files sss --- > netgroup: nisplus sss 62c62 < automount: files sss --- > automount: files nisplus # ipa-client-install --uninstall --unattended # diff /etc/nsswitch.conf /etc/nsswitch.conf.pre-install 33,36c33,36 < passwd: files < shadow: files < group: files < #initgroups: files --- > passwd: files sss > shadow: files sss > group: files sss > initgroups: files 56c56 < services: files --- > services: files sss 58c58 < netgroup: files --- > netgroup: nisplus sss 62c62 < automount: files --- > automount: files nisplus
However, we do not touch /etc/nsswitch.conf directly, all we do is that we call authconfig to unconfigure what it configured in ipa-client-install phase (/usr/sbin/authconfig --enablesssdauth --update --enablesssd): 2013-04-18T11:14:19Z INFO Disabling client Kerberos and LDAP configurations 2013-04-18T11:14:19Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-04-18T11:14:19Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2013-04-18T11:14:19Z DEBUG Starting external process 2013-04-18T11:14:19Z DEBUG args=/usr/sbin/authconfig --disablesssdauth --update --disablesssd 2013-04-18T11:14:21Z DEBUG Process finished, return code=0 2013-04-18T11:14:21Z DEBUG stdout= 2013-04-18T11:14:21Z DEBUG stderr= Moving to authconfig component to decide how this should be handled.
realmd calls authconfig with --disablesssdauth but not with --disablesssd for this very reason. http://cgit.freedesktop.org/realmd/realmd/tree/service/realmd-redhat.conf#n30
Yeah, this issue may resolve in ipa-client-install not calling --enablesssdauth and --disablesssdauth at all, I just want to have some resolution from nss. Also adding Jakub Hrozek from to CC to have an opinion from SSSD side.
We should never remove sss from nsswitch. Even if sssd-client is not installed at all, getpwnam would be a noop. If it is installed but sssd is not running then you get a very small performance penalty where the sssd-client marshalls the query and attempts to send it to a socket, but this use-case is a really small one.
Ok, we will update our uninstall process. Moving the Bug back to freeipa. Tomas do you agree with this update schema: Client install will call authconfig with: --enablesssdauth --update --enablesssd Client uninstall will call authconfig with: --disablesssdauth --update ?
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3577
Yes, that would achieve the desired outcome.
Fixed upstream. master: 40966cbe635eb0df80aa8d58c888d325b984ea46
freeipa-3.2.0-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.0-1.fc19
Looks like it's fixed: [root@f19-3 repo]# ipa-client-install --uninstall -U Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. [root@f19-3 repo]# grep sss /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss services: files sss netgroup: files sss automount: files sss sudoers: sss
Package freeipa-3.2.0-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.0-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7911/freeipa-3.2.0-1.fc19 then log in and leave karma (feedback).
freeipa-3.2.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.