[Freeipa] [Bug 2004433] Re: freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf on 20.04

Fri, 03 Feb 2023 10:20:44 -0800 

make that libnss-sss instead

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2004433

Title:
  freeipa-client: ipa-client-install doesn't modify /etc/nsswitch.conf
  on 20.04

Status in freeipa package in Ubuntu:
  Incomplete

Bug description:
  Hi!

  We have Ubuntu 18.04 servers that we're upgrading to 20.04, and we've
  found a minor bug.

  When running the ipa-client-install tool on Ubuntu 20.04, it installs
  everything and enrolls the host, but at the end it skips updating
  /etc/nsswitch.conf to add `sss` to anything in /etc/nsswitch.conf.

  I haven't looked at the source, but I suspect that the tool doesn't
  recognize the exact configuration in /etc/nsswitch.conf as a 'known'
  configuration and silently refuses to modify it.

  Manually adding `sss` to the passwd, group, shadow, services, and
  netgroup lines makes everything work.

  Partial output of ipa-client-install:

  ```
  Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=EXAMPLE.COM
      Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
      Valid From:  2020-12-09 23:35:59
      Valid Until: 2040-12-09 23:35:59

  Enrolled in IPA realm EXAMPLE.COM
  Created /etc/ipa/default.conf
  Configured sudoers in /etc/nsswitch.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
  Systemwide CA database updated.
  Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
  Could not update DNS SSHFP records.
  SSSD enabled
  Configured /etc/openldap/ldap.conf
  Unable to find 'service-account' user with 'getent passwd 
service-acco...@example.com'!
  Unable to reliably detect configuration. Check NSS setup manually.
  Configured /etc/ssh/ssh_config
  Configured /etc/ssh/sshd_config
  Configuring ca.example.com as NIS domain.
  Client configuration complete.
  The ipa-client-install command was successful
  ```

  When it says "Check NSS setup manually.", it's really saying
  "Configure NSS setup manually".

  Here's the resulting /etc/nsswitch.conf file, after manually appending
  'sss':

  ```
  # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.

  passwd:         compat systemd sss
  group:          compat systemd sss
  shadow:         compat sss
  gshadow:        files

  hosts:          files dns
  networks:       files

  protocols:      db files
  services:       db files sss
  ethers:         db files
  rpc:            db files

  netgroup:       nis

  sudoers: files sss
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2004433/+subscriptions


_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to     : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

Reply via email to