Red Hat Bugzilla – Bug 978241
authconfig shouldn't touch /etc/krb5.conf
Last modified: 2015-03-02 00:27:50 EST
Description of problem:
Authconfig is needed to change the pam stack and nssswitch.conf file, but it does other steps like changing /etc/krb5.conf which is not necessary.
Changing of /etc/krb5.conf cause inconsistent behavior of realm join (realmd package).
First realm join does not change /etc/krb5.conf (realm join calls '/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart'). Another call of '/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart' change /etc/krb5.conf and this is the problem.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
repeated calling of authconfig command shouldn't touch /etc/krb5.conf
Well it's a bit more nuanced than that:
What we need is a way to have authconfig update the pam stack and nsswitch.conf file (since it owns those), without authconfig doing *anything* else.
/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart
In Fedora 18 the above command accomplished that. In Fedora 19 the behavior of authconfig seems to have changed, and the above command has side effects.
Unfortunately that was added to correct inconsistencies in config files which was produced by the previous behaviour. We will need a detailed analysis why it changes the krb5.conf in this case - can you please copy somewhere the contents of backup files in /var/lib/authconfig/last after each authconfig call and also the final contents of the files in the normal places?
Created attachment 770331 [details]
Requested files that are changed by authconfig
So the reason for the krb5.conf update in the second authconfig call is that authconfig pulls default Kerberos realm from sssd.conf and tries to sync krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real problem.
(In reply to Tomas Mraz from comment #4)
> So the reason for the krb5.conf update in the second authconfig call is that
> authconfig pulls default Kerberos realm from sssd.conf and tries to sync
> krb5.conf with it. I am inclined to call it NOTABUG unless it creates a real
In general this sort of behavior is going to cause random bugs. The *only* reason we ever call authconfig because it owns the PAM stack and nsswitch.conf on RHEL and Fedora. If calling it in this context has all sorts of other side effects then that's just asking for a mess later on.
Is there a way to call authconfig so it only touches the PAM stack and nsswitch.conf, and doesn't have the side effect of littering in other files?
I'd like to see the random bugs to appear first. Fixing bugs before they appear is usually not possible.
The functionality to keep the contents of configuration files in sync was added to fix real bugs, randomly switching it off would not be a good idea.
There is no way now to specify just a subset of config files to update, we would have to add an option for that and of course any subsequent authconfig --update call would do the sync anyway.
(In reply to Tomas Mraz from comment #6)
> I'd like to see the random bugs to appear first. Fixing bugs before they
> appear is usually not possible.
Fair enough. But perhaps long term we should be thinking about splitting out the responsibility of updating pam.d and nsswitch.conf into a separate package? That way it's not mixed in with all the other duties that authconfig wants to do.