freeipa team mailing list archive

Thread
Date

[Bug 2004433] Re: freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf on 20.04

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Timo Aaltonen <2004433@xxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Mar 2023 09:01:45 -0000
Reply-to: Bug 2004433 <2004433@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

ok, well in any case it's not freeipa-client that modifies
nsswitch.conf, but libnss-sss in it's postinst, and in there it doesn't
add the sss entries if nsswitch.conf doesn't exist

reassigning anyway but I don't think there's much to do

** Package changed: freeipa (Ubuntu) => sssd (Ubuntu)

** Changed in: sssd (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2004433

Title:
  freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf
  on 20.04

Status in sssd package in Ubuntu:
  New

Bug description:
  Hi!

  We have Ubuntu 18.04 servers that we're upgrading to 20.04, and we've
  found a minor bug.

  When running the ipa-client-install tool on Ubuntu 20.04, it installs
  everything and enrolls the host, but at the end it skips updating
  /etc/nsswitch.conf to add `sss` to anything in /etc/nsswitch.conf.

  I haven't looked at the source, but I suspect that the tool doesn't
  recognize the exact configuration in /etc/nsswitch.conf as a 'known'
  configuration and silently refuses to modify it.

  Manually adding `sss` to the passwd, group, shadow, services, and
  netgroup lines makes everything work.

  Partial output of ipa-client-install:

  ```
  Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
      Valid From:  2020-12-09 23:35:59
      Valid Until: 2040-12-09 23:35:59

  Enrolled in IPA realm EXAMPLE.COM
  Created /etc/ipa/default.conf
  Configured sudoers in /etc/nsswitch.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
  Systemwide CA database updated.
  Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
  Could not update DNS SSHFP records.
  SSSD enabled
  Configured /etc/openldap/ldap.conf
  Unable to find 'service-account' user with 'getent passwd service-account@xxxxxxxxxxx'!
  Unable to reliably detect configuration. Check NSS setup manually.
  Configured /etc/ssh/ssh_config
  Configured /etc/ssh/sshd_config
  Configuring ca.example.com as NIS domain.
  Client configuration complete.
  The ipa-client-install command was successful
  ```

  When it says "Check NSS setup manually.", it's really saying
  "Configure NSS setup manually".

  Here's the resulting /etc/nsswitch.conf file, after manually appending
  'sss':

  ```
  # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.

  passwd:         compat systemd sss
  group:          compat systemd sss
  shadow:         compat sss
  gshadow:        files

  hosts:          files dns
  networks:       files

  protocols:      db files
  services:       db files sss
  ethers:         db files
  rpc:            db files

  netgroup:       nis

  sudoers: files sss
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2004433/+subscriptions

References

[Bug 2004433] [NEW] freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf on 20.04
From: CH, 2023-01-31