Bug 978241 - authconfig shouldn't touch /etc/krb5.conf
authconfig shouldn't touch /etc/krb5.conf
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-26 03:27 EDT by David Spurek
Modified: 2015-03-02 00:27 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 09:30:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Requested files that are changed by authconfig (10.00 KB, application/x-compressed)
2013-07-08 04:09 EDT, David Spurek
no flags Details

  None (edit)
Description David Spurek 2013-06-26 03:27:34 EDT
Description of problem:
Authconfig is needed to change the pam stack and nssswitch.conf file, but it does other steps like changing /etc/krb5.conf which is not necessary.

Changing of /etc/krb5.conf cause inconsistent behavior of realm join (realmd package).
First realm join does not change /etc/krb5.conf (realm join calls '/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart'). Another call of '/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart' change /etc/krb5.conf and this is the problem. 

Version-Release number of selected component (if applicable):
authconfig-6.2.6-3.el7

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
repeated calling of authconfig command shouldn't touch /etc/krb5.conf

Additional info:
Comment 1 Stef Walter 2013-06-26 04:26:10 EDT
Well it's a bit more nuanced than that:

What we need is a way to have authconfig update the pam stack and nsswitch.conf file (since it owns those), without authconfig doing *anything* else.

/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart

In Fedora 18 the above command accomplished that. In Fedora 19 the behavior of authconfig seems to have changed, and the above command has side effects.
Comment 2 Tomas Mraz 2013-07-04 07:55:36 EDT
Unfortunately that was added to correct inconsistencies in config files which was produced by the previous behaviour. We will need a detailed analysis why it changes the krb5.conf in this case - can you please copy somewhere the contents of backup files in /var/lib/authconfig/last after each authconfig call and also the final contents of the files in the normal places?
Comment 3 David Spurek 2013-07-08 04:09:16 EDT
Created attachment 770331 [details]
Requested files that are changed by authconfig
Comment 4 Tomas Mraz 2013-07-08 05:06:16 EDT
So the reason for the krb5.conf update in the second authconfig call is that authconfig pulls default Kerberos realm from sssd.conf and tries to sync krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real problem.
Comment 5 Stef Walter 2013-07-08 06:19:42 EDT
(In reply to Tomas Mraz from comment #4)
> So the reason for the krb5.conf update in the second authconfig call is that
> authconfig pulls default Kerberos realm from sssd.conf and tries to sync
> krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real
> problem.

In general this sort of behavior is going to cause random bugs. The *only* reason we ever call authconfig because it owns the PAM stack and nsswitch.conf on RHEL and Fedora. If calling it in this context has all sorts of other side effects then that's just asking for a mess later on.

Is there a way to call authconfig so it only touches the PAM stack and nsswitch.conf, and doesn't have the side effect of littering in other files?
Comment 6 Tomas Mraz 2013-07-08 06:40:48 EDT
I'd like to see the random bugs to appear first. Fixing bugs before they appear is usually not possible.

The functionality to keep the contents of configuration files in sync was added to fix real bugs, randomly switching it off would not be a good idea.

There is no way now to specify just a subset of config files to update, we would have to add an option for that and of course any subsequent authconfig --update call would do the sync anyway.
Comment 7 Stef Walter 2013-07-08 12:13:12 EDT
(In reply to Tomas Mraz from comment #6)
> I'd like to see the random bugs to appear first. Fixing bugs before they
> appear is usually not possible.

Fair enough. But perhaps long term we should be thinking about splitting out the responsibility of updating pam.d and nsswitch.conf into a separate package? That way it's not mixed in with all the other duties that authconfig wants to do.

Note You need to log in before you can comment on or make changes to this bug.