freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #01156
[Bug 2004433] [NEW] freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf on 20.04
Public bug reported:
Hi!
We have Ubuntu 18.04 servers that we're upgrading to 20.04, and we've
found a minor bug.
When running the ipa-client-install tool on Ubuntu 20.04, it installs
everything and enrolls the host, but at the end it skips updating
/etc/nsswitch.conf to add `sss` to anything in /etc/nsswitch.conf.
I haven't looked at the source, but I suspect that the tool doesn't
recognize the exact configuration in /etc/nsswitch.conf as a 'known'
configuration and silently refuses to modify it.
Manually adding `sss` to the passwd, group, shadow, services, and
netgroup lines makes everything work.
Partial output of ipa-client-install:
```
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2020-12-09 23:35:59
Valid Until: 2040-12-09 23:35:59
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'service-account' user with 'getent passwd service-account@xxxxxxxxxxx'!
Unable to reliably detect configuration. Check NSS setup manually.
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ca.example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
```
When it says "Check NSS setup manually.", it's really saying "Configure
NSS setup manually".
Here's the resulting /etc/nsswitch.conf file, after manually appending
'sss':
```
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
```
** Affects: freeipa (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2004433
Title:
freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf
on 20.04
Status in freeipa package in Ubuntu:
New
Bug description:
Hi!
We have Ubuntu 18.04 servers that we're upgrading to 20.04, and we've
found a minor bug.
When running the ipa-client-install tool on Ubuntu 20.04, it installs
everything and enrolls the host, but at the end it skips updating
/etc/nsswitch.conf to add `sss` to anything in /etc/nsswitch.conf.
I haven't looked at the source, but I suspect that the tool doesn't
recognize the exact configuration in /etc/nsswitch.conf as a 'known'
configuration and silently refuses to modify it.
Manually adding `sss` to the passwd, group, shadow, services, and
netgroup lines makes everything work.
Partial output of ipa-client-install:
```
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2020-12-09 23:35:59
Valid Until: 2040-12-09 23:35:59
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'service-account' user with 'getent passwd service-account@xxxxxxxxxxx'!
Unable to reliably detect configuration. Check NSS setup manually.
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ca.example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
```
When it says "Check NSS setup manually.", it's really saying
"Configure NSS setup manually".
Here's the resulting /etc/nsswitch.conf file, after manually appending
'sss':
```
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2004433/+subscriptions
Follow ups
