Bug 965888 - Enterprise Login option doesn't work with FreeIPA
Enterprise Login option doesn't work with FreeIPA
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: gnome-initial-setup (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jasper St. Pierre
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-21 18:43 EDT by Simo Sorce
Modified: 2013-06-16 02:07 EDT (History)
9 users (show)

See Also:
Fixed In Version: gnome-initial-setup-0.11-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-16 02:07:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2013-05-21 18:43:01 EDT
After an install from the Live Desktop (beta rc2), I am presented with the request to create a user account.

I have 2 'enterprise' system that I can use at home.

1. FreeIPA install
2. OpenLDAP install

But if I select the enteprise option I am only given an empty 'Domain' selector and then a username and password fields.

I normally prefer to configure things to use my FreeIPA 'domain', but some machines go to the openldap install.

I can't see my freeipoa domain there (probably because I have no SRV records in this install) nor a way to manually provide options to use my openldap server, so I can't use either apparently.

The 'enterprise' login option should provide a way to proviude manual configuration if autodetection fails or is simply not possible (like in the pure LDAP Dirctory case)
Comment 1 Matthias Clasen 2013-05-21 20:44:41 EDT
Moving this to realmd for consideration.
Comment 2 Simo Sorce 2013-05-21 21:33:24 EDT
It dos not work with SRV records either in my setup.
Should I change back the subject ?
Comment 3 Adam Williamson 2013-05-21 22:55:34 EDT
let's go with something fairly generic for now, if we figure out what exactly about your FreeIPA config it is that realmd/g-i-s doesn't like, we can adjust it again...
Comment 4 Stef Walter 2013-05-22 09:03:36 EDT
Please run this and paste the output here:

$ realm discover --verbose mydomain.com
Comment 5 Simo Sorce 2013-05-22 09:35:28 EDT
realmd has no chance to work as I just noticed neither anaconda nor g-i-s let you set the machine name (nor the domain name of course).
And on the live desktop install there is also no way to set the domain in Network Manager even when setting the DNS server manually.

I think the 'Enterprise login' thing has never been tested by anybody and appears completely broken.

I am resetting this bug back to g-i-s, I suggest you drop the 'enterprise login' button until it actually can be made to work.
Comment 6 Stef Walter 2013-05-22 09:59:14 EDT
Provided by Simo:

realmd discover --verbose trust.ssimo.org
  * Resolving: _ldap._tcp._msdcs.trust.ssimo.org
  * Sending MS-CLDAP ping to: 192.168.122.240
  ! Discovery timed out after 15 seconds
 trust.ssimo.org
  type: kerberos
  realm-name: TRUST.SSIMO.ORG
  domain-name: trust.ssimo.org
  configured: no
Comment 7 Stef Walter 2013-05-22 10:04:21 EDT
(In reply to Simo Sorce from comment #5)
> realmd has no chance to work as I just noticed neither anaconda nor g-i-s
> let you set the machine name (nor the domain name of course).

Anaconda lets you set this in the network spoke, although it doesn't seem to be shown when doing a Live install.

> I think the 'Enterprise login' thing has never been tested by anybody and
> appears completely broken.

Yes, this functionality in g-i-s has likely never been tested. Although it can be made to work by setting the hostname in the installer (or in the Live Desktop environment).

But yes, the g-i-s stuff has likely never been tested due to the complete brokenness of the Fedora 19 install process until very recently coupled with the complete absence of any domains (even FreeIPA domains!) available anywhere for developers to test against.

The g-i-s Enterprise login code was copied from gnome-control-center, where the functionality does work and has been tested.

> I am resetting this bug back to g-i-s, I suggest you drop the 'enterprise
> login' button until it actually can be made to work.

It can be made to work, but does not actually work without the work around of setting up the host name.

It should be noted that the authconfig Network Authentication firstboot button has exactly this same problem. In addition it does not install the necessary packages and requires that you know these and manually install them in advance in the installer.
Comment 8 Matthias Clasen 2013-05-22 16:19:20 EDT
https://bugzilla.gnome.org/show_bug.cgi?id=700857
Comment 10 Stef Walter 2013-05-26 09:51:40 EDT
So yes, this feature was completely broken in gnome-initial-setup. It crashed, and didn't look like it had ever been used. I remember being asked in passing to look at this stuff, but I never got around to reviewing the code until now.

Sorry bout that.

18 patches attached to above bugs, which makes things usable.
Comment 11 Stef Walter 2013-05-27 12:36:07 EDT
All upstream patches reviewed, pushed. This makes this feature usable. Although I did only test with 'gnome-initial-setup --force-new-user'

One thing that seems missing from a firstboot type thingy is the ability to setup not just one user, but set defaults for all users, and setup domain logins for any domain user. You might think of this as 'workstation mode'. 

gnome-initial-setup as a whole does not currently do fill the 'workstation' use case (it sets up one user), and so its no suprise that the Enterprise login feature that's part of gnome-initial-setup does not fill the workstation use case either.

If in the future gnome-initial-setup gained the feature to be used in a workstation mode, then we could easily extend its the Enterprise Login page to match.

Leaving this back in the hands of mclasen at this point. But I think things are ready for a new Fedora package to verify that this functionality works.
Comment 12 Adam Williamson 2013-05-27 17:13:10 EDT
aiui, so far, that is outside the scope of g-i-s' design. g-i-s was designed for the two use cases 'creating a single initial admin user for a newly installed system' and 'configuring the basic environment of any newly created user the first time they log into GNOME'. it was not designed to cover anything outside of those cases.
Comment 13 Fedora Update System 2013-05-31 13:10:14 EDT
gnome-initial-setup-0.11-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-9570/gnome-initial-setup-0.11-1.fc19
Comment 14 Fedora Update System 2013-06-16 02:07:59 EDT
gnome-initial-setup-0.11-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.