Comments (45)
And I think authselect should do the same thing; just don't delete altfiles
if it finds it in the existing config.
from authselect.
BTW, Atomic is now Fedora CoreOS.
The SSSD approach is actually going to be problematic for us in the near future as Ignition does some system provisioning in the initramfs where sssd isn't running yet.
In the end, we need to do the sysusers switch.
from authselect.
History repeats itself:
https://pagure.io/authconfig/c/78bb70e103907a47bfdcbc2dc1651d64eeb58147?branch=master
from authselect.
History repeats itself
Hah!
And I think authselect should do the same thing; just don't delete
altfiles
if it finds it in the existing config.
That was my initial thought, though from what I understand, authselect just ships baked predefined config templates. Though maybe what we can do is:
- add a new
*{if "with-nss-altfiles":altfiles}*
to the template, and - teach authselect itself to automatically turn that feature on if it detects
altfiles
in the existing config.
The advantage of this is that we don't have to modify Anaconda, which I think we can all agree is for the best. :) It's also forward compatible with a future in which we no longer use altfiles
.
from authselect.
teach authselect itself to automatically turn that feature on if it detects altfiles in the existing config.
Ah wow, I see now. authselect ships its own copies of the config files and just blows away whatever is there? That...seems not like a good idea.
Anyways a variant of your suggestion is to enable it if nss-altfiles
is installed (exists as a pkg in the rpm database).
from authselect.
Do you call authconfig/authselect from your kickstart or does Anaconda call authselect automatically without your will?
Anyway, for purposes of docker/other distros/... it is possible to override profiles shipped by authselect with vendor profile. That way vendor can preserve something (PAM stack and override what needs to be changed (nsswitch). This fits well for your use case and you will also get full control over it so once you will want to get away from altfiles, you can. See: https://github.com/pbrezina/authselect/blob/master/src/man/authselect-profiles.5.txt.in.in#L21
Create /usr/share/authselect/vendor/sssd and /usr/share/authselect/vendor/winbind (if needed), create symlinks to /usr/share/authselect/default/$profile and provide your own nsswitch template.
Does this work as a solution for you?
from authselect.
Ah wow, I see now. authselect ships its own copies of the config files and just blows away whatever is there? That...seems not like a good idea.
This is the thing. If you want to use authselect, there will be no more manual edits and tries to guess the correct configuration and implementing every use case that is needed. You have profiles that we ship that are based on Fedora defaults, those can be overridden with vendor profiles if you need to ship different defaults. Administrators can provide custom profiles if they need different use case.
from authselect.
Anyway, for purposes of docker/other distros/...
Fedora Atomic Host is not a separate distribution. It's a toplevel Edition, along with Workstation and Server. Fedora Atomic Host is Fedora too.
does Anaconda call authselect automatically without your will?
AFAICS, yes. If this problem was just "using authselect via kickstart or running it manually breaks FA{H,W}" it'd be a lot less severe.
from authselect.
OK I think it's this bit of code in Anaconda. It's not affecting Atomic Host because we don't include fprintd
there.
So...I guess we could add a select altfiles
or something to authselect, and change anaconda to select that automatically too if /usr/lib64/libnss_altfiles.so.2
exists in the sysroot?
But it really feels like it'd be better to somehow have fprintd
just drop in a file somewhere to say it's enabled by default (if it's installed), and allow admins to do something systemctl mask
style that disables it if they don't want it. And then drop the bits in anaconda to auto-enable it; authselect is then only run explicitly.
from authselect.
And then drop the bits in anaconda to auto-enable it; authselect is then only run explicitly.
That makes sense, but we still want to survive an admin doing authselect select sssd --with-some-feature
later on, right? I.e. it seems like we still want something like what we suggested earlier regarding e.g. adding a with-nss-altfiles
feature and enabling it by default if we detect nss-altfiles
. In that case, even if it gets unconditionally run in Anaconda, we should have a proper config.
from authselect.
I looked into the Atomic Host image and there is not SSSD installed by default, just sssd-client libs. I think it would be the best to create a profile specifically for atomic and make Anaconda select it by default, instead of the SSSD profile.
If admin than wants to use SSSD, he will select the sssd profile and configure SSSD correctly. SSSD now support alternative files location with files provider, so altfiles is not strictly needed anymore.
from authselect.
I think it would be the best to create a profile specifically for atomic
There isn't (today) just one "atomic". There's Fedora Atomic Host and Fedora Atomic Workstation. The latter is mostly a superset of the former.
Further, we really want to support people doing custom composes with their own package sets. For example, a user may want to make an embedded device using rpm-ostree for transactional updates, but no containers. In fact this use case is part of Fedora IoT.
So let's not special case "atomic" in any way. We may or may not have sssd or fprintd etc. Let's figure out a way to just not overwrite the existence of altfiles
.
In the future, this problem will solve itself as rpm-ostree will stop relying on altfiles though.
from authselect.
SSSD now support alternative files location with files provider, so altfiles is not strictly needed anymore.
Oh hmm I didn't see this at first. If that's true it'd be convenient. I'm not seeing in a quick perusal of man sssd.conf
how to enable it though.
from authselect.
The SSSD PR that implements the "altfiles" in SSSD was not merged yet. I'll see what I can do to speed up the review..
from authselect.
The SSSD PR that implements the "altfiles" in SSSD was not merged yet. I'll see what I can do to speed up the review..
Ah, I acked it like two months ago. I bumped the thread so you can merge it. Since it may be useful here, please create an update soon.
There isn't (today) just one "atomic". There's Fedora Atomic Host and Fedora Atomic Workstation. The latter is mostly a superset of the former.
Does nsswitch/PAM differ in those two?
So let's not special case "atomic" in any way. We may or may not have sssd or fprintd etc. Let's figure out a way to just not overwrite the existence of altfiles.
Let me clarify authselect mission. Authselect is not authconfig and it will not read existing configuration and make small changes to it. Authselect will only write complete configuration defined by profiles. A profile solves one use case. If there is a requirement for another use case, a new profile can be created. We have some upstream profiles, if they need to be overridden or extended for specific needs of a distro there is a possibility to do it by placing new profile to /usr/share/authselect/vendor
. And at last, administrators have options to create their custom profile by placing it in /etc/authselect/custom
. Therefore set of supported profiles is easily extendable. You can have whatever configuration you need without coordinating with tools as it was needed with authconfig.
There are few possible solutions to this issue:
-
The best solution is to create a profile for atomic. It can be supported upstream or you can create it as a vendor profile. Since you mentioned that you have atomic kickstart, you can use
authselect
kickstart command to activate it. You gain complete control over how the resulting configuration look like. It can be changed and there will be no special casing. Users will use authselect in the same way to further modify it and create custom compose. -
Use SSSD for altfiles. This is a good solution, but it will make official and other composes dependent on SSSD.
-
Another solution is to support altfiles in the sssd profile and again set by your kickstart. This is however not correct solution, since every time you change your required configuration, we will have to special case it, keeping all previous changes there.
-
Not calling authselect in Anaconda for atomic.
from authselect.
Does nsswitch/PAM differ in those two?
The only thing we change from the underlying RPM defaults is to inject altfiles which just is a nss thing. Other than that we don't try to carry any deltas.
from authselect.
The best solution is to create a profile for atomic....You gain complete control over how the resulting configuration look like.
I don't think we or anyone else really wants the maintenance overhead of that. We basically just want altfiles (for now, until we switch to sysusers).
Use SSSD for altfiles. This is a good solution, but it will make official and other composes dependent on SSSD.
I think that's probably fine for FA{H,W}, particularly because the people who are making more minimal images are unlikely to include authselect
in the their images.
from authselect.
Not calling authselect in Anaconda for atomic.
Note the current situation (as linked above) is that Anaconda calls it automatically but only if it detects fprintd. Which is going to be a recipie for a lot of confusion since there will be a lot of scenarios where authselect
isn't used by default.
If we really want the opinionated defaults here to be defaults, I'd say that anaconda should probably change to unconditionally default to invoking authselect. And the files in the packages (e.g. the nsswitch.conf
should gain a comment to the effect: # NOTE: This file is usually overwritten by authselect
) or so.
from authselect.
If we really want the opinionated defaults here to be defaults, I'd say that anaconda should probably change to unconditionally default to invoking authselect. And the files in the packages (e.g. the nsswitch.conf should gain a comment to the effect: # NOTE: This file is usually overwritten by authselect) or so.
Note that it's being considered that nsswitch.conf should actually be moved to the authselect package. Right now it's maintained by glibc, but that has never been an ideal solution because it also provides the configuration for sudo and autofs. It makes more sense to have this file be owned by the package that maintains it.
I think I agree with both @pbrezina and @cgwalters here; we should probably create Atomic Host and Atomic Workstation default nsswitch configurations for authselect and teach Anaconda to apply them appropriately (by calling authselect unconditionally).
I'm going to CC @M4rtinK and @rvykydal here to bring them into the discussion.
from authselect.
It looks like this is now affecting Fedora 28 Atomic Workstation Beta. Let's agree on a decision? I'm not a fan of maintaining separate profiles for Atomic variants. I'd prefer the auto-detect based on nss-altfiles
being installed, as discussed higher up. Though if using different profiles is the easiest option for now, that's fine too.
from authselect.
Haven't tested this yet but how about:
diff --git a/fprintd.spec b/fprintd.spec
index 977e9d3..bd6f3dd 100644
--- a/fprintd.spec
+++ b/fprintd.spec
@@ -28,7 +28,6 @@ Requires: %{name} = %{version}-%{release}
# is different, it will be mentioned in the release notes
Provides: pam_fprint = %{version}-%{release}
Obsoletes: pam_fprint < 0.2-3
-Requires(postun): authselect >= 0.3
Group: System Environment/Base
License: GPLv2+
@@ -66,8 +65,8 @@ rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_fprintd.{a,la,so.*}
%find_lang %{name}
%postun pam
-if [ $1 -eq 0 ]; then
- /bin/authselect disable-feature with-fingerprint || :
+if [ $1 -eq 0 ] && test -x /bin/authselect; then
+ /bin/authselect disable-feature with-fingerprint
fi
%files -f %{name}.lang
This makes the whole model a lot clearer; authselect is only used explicitly by admins.
from authselect.
So, looking at the ISO contents, it looks like what pulled in authselect this time isn't fprintd
, but realmd-0.16.3-11.fc28.x86_64
.
With the impending f28 release, I'd like to propose we make this a rawhide issue only while we discuss things further. I.e. are we OK with reverting the unconditional authselect
call in Anaconda for F28?
from authselect.
Proposal here: rhinstaller/anaconda#1410
from authselect.
Adding @poncovka, who has been handling the Anaconda migration from authconfig to authselect to CC.
from authselect.
We can work around this for FAW in the meantime by just dropping fprintd-pam from it, we think: https://pagure.io/workstation-ostree-config/pull-request/81
from authselect.
BTW, following up on Colin's point here, it's worth noting the behaviour he describes there is new, it was introduced with the authselect migration. The old code for authconfig (F27 and earlier) was less conditional: anaconda would always call authconfig
so long as it was actually present in the installed system at all. It didn't have this "if this is an interactive install run authselect
with these magic defaults, if this isn't an interactive install, only do what the kickstart says" conditionalization.
from authselect.
From the Anaconda point of view, we can extend install classes, so they can define the behaviour of authselect
for interactive installations. However, I would prefer to find a better way of enabling the fingerprint authentication.
from authselect.
The following script can be used to create vendor profiles, overwriting only nsswitch.conf for both sssd and winbind profiles. This way, if authselect (with sssd or winbind profile) is called from Anaconda, realmd, ipa-client-install, manually, ... will use nsswitch.conf with altfiles.
mkdir -p /usr/share/authselect/vendor
mkdir /usr/share/authselect/vendor/sssd
mkdir /usr/share/authselect/vendor/winbind
FILES="dconf-db dconf-locks fingerprint-auth password-auth postlogin README system-auth"
for FILE in $FILES smartcard-auth ; do
ln -s /usr/share/authselect/default/sssd/$FILE /usr/share/authselect/vendor/sssd/$FILE
done
for FILE in $FILES ; do
ln -s /usr/share/authselect/default/winbind/$FILE /usr/share/authselect/vendor/winbind/$FILE
done
cat <<EOM >/usr/share/authselect/vendor/sssd/nsswitch.conf
passwd: sss files altfiles
group: sss files altfiles
netgroup: sss files
automount: sss files
services: sss files
sudoers: files sss
shadow: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
hosts: files dns myhostname
aliases: files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
EOM
cat <<EOM >/usr/share/authselect/vendor/winbind/nsswitch.conf
passwd: files altfiles winbind
group: files altfiles winbind
shadow: files
netgroup: files
automount: files
services: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
hosts: files dns myhostname
aliases: files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
EOM
from authselect.
where do we stand on this? waiting for feedback? i.e. who is waiting on who?
from authselect.
Both anaconda and authselect has given several possible solutions, so we are waiting for the discussion to continue from atomic side.
from authselect.
@cgwalters @jlebon - i'd like to remove the workaround we put in rawhide. Can we move this issue forward?
from authselect.
+1, I definitely agree with @dustymabe that we should pick a choice and move forward on this, let's not make it one more 'workaround' that lives forever...
from authselect.
Patch to support alternative passwd and groups locations with SSSD will be soon available in Fedora (probably today), so it could be used instead of nss altfiles.
from authselect.
I don't want to "own" a forked authselect config just to add altfiles. IMO the only sane short term thing is for sssd to grow altfiles suppor as is mentioned above.
The long term solution is definitely coreos/rpm-ostree#49
from authselect.
@pbrezina Do you have a link to the relevant sssd documentation?
from authselect.
https://github.com/SSSD/sssd/blob/master/src/man/sssd-files.5.xml#L67
Example configuration:
[sssd]
config_file_version = 2
services = nss, pam
domains = atomic
user = root
[domain/atomic]
id_provider = files
passwd_files = /etc/passwd, /etc/atomic_passwd
group_files = /etc/group, /etc/atomic_group
from authselect.
Thanks! I'll try that out.
from authselect.
I got this working in a rawhide compose with authselect
and sssd-common
added! Though there are a couple of rough spots.
One, there was an ordering issue between dbus.service
and sssd.service
which caused bootups to hang. I submitted a patch for that here: https://bugs.freedesktop.org/show_bug.cgi?id=106339. The other was https://pagure.io/SSSD/sssd/issue/3727. We'll also need to tweak rpm-ostree. I opened coreos/rpm-ostree#1354 for that.
from authselect.
from authselect.
It'd be nice to have, yeah. We could probably just add a workaround for it in the post-processing script. Though hopefully that'd be a temporary thing.
One thing I'll mention is that the sssd issue mentions that an empty sssd.conf
works fine, but that wasn't the case for me. I'd get:
sssd[1559]: SSSD couldn't load the configuration database [5]: Input/output error.
My workaround for now consists of:
cat > /etc/sssd/sssd.conf << EOF
[sssd]
services = nss
config_file_version = 2
EOF
chmod 0600 /etc/sssd/sssd.conf
which I think is as "no-op" as one can get?
from authselect.
from authselect.
I'm closing this issue since we found a way that suites both sides. Please, re-open if you feel otherwise.
from authselect.
Could you document here what that way is so other people that might run into it can find out easily
from authselect.
Atomic chose to use SSSD's new local user support feature which can also provide users from alternative passwd files, which is precisely what altfiles
does. Example of such configuration can be seen at https://github.com/pbrezina/authselect/issues/48#issuecomment-384973785
from authselect.
Just to note here, one thing that wasn't obvious to me at first is that a major problem is a lot of kickstarts we have cargo cult around authconfig --enableshadow --passalgo=sha512
which is necessary for RHEL7, but AIUI shouldn't be needed anymore. See e.g. https://pagure.io/teamsilverblue/issue/34
So anyone hitting this via kickstart should simply delete that line.
from authselect.
Related Issues (20)
- sssd: ignore unknown users in pam_sss when with-smartcard is set
- Adding optional profile for homed support HOT 6
- [RFE] optional support for pam_ssh_agent_auth HOT 4
- popt 1.19 seems to break authselect, possibly others HOT 1
- man: remove --custom from create-profile which does not exist
- Support SOURCE_DATE_EPOCH for artifacts HOT 8
- Suggestion: sssd profile feature for global pam-u2f mapping file HOT 4
- New authselect nsswitch plugin support for GNS HOT 6
- GUI or CLI support for password policy HOT 1
- Create authselect-sssd.conf snippet with correct permissions
- Add full mdns to nsswitch.conf HOT 5
- Control the order of `auth sufficient` in `pam`
- Best practice/recommendations regarding authselect HOT 2
- password prompt is printed twice for local user on authselect sssd profile
- minimal profile does not support with-homed feature HOT 2
- RFE: Allow other PAM services in profiles HOT 2
- SSSD and autofs HOT 8
- RFE allow pam_lastlog.so "showfailed" to be disabled.
- Automatically run authselect on first boot HOT 18
- Would be good to have a new 'switchable-auth' next to 'password-auth', 'fingerprint-auth', 'smartcard-auth' etc HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authselect.