Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 594750 - authconfig CLI fails to set up sssd for ldap but GUI works
Summary: authconfig CLI fails to set up sssd for ldap but GUI works
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-21 14:00 UTC by Paul Howarth
Modified: 2010-06-10 15:53 UTC (History)
1 user (show)

Fixed In Version: authconfig-6.1.6-1.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 15:53:37 UTC


Attachments (Terms of Use)

Description Paul Howarth 2010-05-21 14:00:35 UTC
* Fresh Fedora 13 install from DVD, with language and keyboard settings UK.
 * Create local user "dummy" at firstboot since there is no network at this point
 * Login as "dummy"
 * Enable the network
 * Start a root shell
 * yum update
 * yum --enablerepo=updates-testing update auth\*

At this point I have:
  authconfig-6.1.4-2.fc13.x86_64
  authconfig-gtk-6.1.4-2.fc13.x86_64

Default settings:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://127.0.0.1/"
 LDAP base DN = "dc=example,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is enabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


I now try to set up ldap auth in the time-honoured way:
# authconfig \
  --enableldap \
  --enableldapauth \
  --ldapserver=ldap://ldap.virtensys.com/ \
  --ldaploadcacert=http://download.virtensys.com/virtensys-ca.crt \
  --enableldaptls \
  --ldapbasedn=dc=virtensys,dc=com \
  --disablefingerprint \
  --updateall
Starting sssd:                                             [FAILED]


The stock sssd.conf is untouched:
# ls -lrt /etc/sssd
total 12
-rw-------. 1 root root 2829 Apr  2 16:56 sssd.conf
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d


Authconfig does know what the config is *supposed* to be though:
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://ldap.virtensys.com/"
 LDAP base DN = "dc=virtensys,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_smb_auth is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


If I now fire up the GUI, don't make any changes and click "Apply", it springs into life:
# authconfig-gtk
Starting sssd:                                             [  OK  ]
# ls -lrt /etc/sssd
total 12
-r--------. 1 root root 1809 Apr  2 16:56 sssd.api.conf
drwx------. 2 root root 4096 May 21 13:25 sssd.api.d
-rw-------. 1 root root 3191 May 21 14:39 sssd.conf

Comment 1 Tomas Mraz 2010-05-21 14:24:37 UTC
Use --update instead of --updateall as a workaround.


Note You need to log in before you can comment on or make changes to this bug.