[Bug 778949] New: LDAP/SSSD configuration with checkbox "Use Kerberos" enabled not saved/recognized/applied correctly
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c0 Summary: LDAP/SSSD configuration with checkbox "Use Kerberos" enabled not saved/recognized/applied correctly Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: AutoYaST AssignedTo: ug@suse.com ReportedBy: joschibrauchle@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Hello, we are using SSSD along with Kerberos in our institute. Unfortunately, the XML created via AutoYast seems to forget about the "Use Kerberos" checkbox configured under "LDAP client" > "Advanced Settings". Hence, when the XML file is used for auto installation, the "Use Kerberos" setting is not applied and the /etc/sssd/sssd.conf does not set "auth_provider = krb5" but instead "auth_provider = ldap". Please see this XML file, which was created with the Yast Autoinstall module on OS12.2 with the "Use Kerberos" checkbox **enabled**: ----------- <?xml version="1.0"?> <!DOCTYPE profile> <profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> <deploy_image> <image_installation config:type="boolean">false</image_installation> </deploy_image> <ldap> <base_config_dn>ou=ldapconfig,ou=users,dc=some</base_config_dn> <bind_dn></bind_dn> <create_ldap config:type="boolean">false</create_ldap> <file_server config:type="boolean">false</file_server> <krb5_kdcip>kerberos.server.com</krb5_kdcip> <krb5_realm>KERBEROS.REALM</krb5_realm> <ldap_domain>ou=users,dc=some</ldap_domain> <ldap_server>ldap.server.com</ldap_server> <ldap_tls config:type="boolean">true</ldap_tls> <login_enabled config:type="boolean">true</login_enabled> <member_attribute>member</member_attribute> <mkhomedir config:type="boolean">false</mkhomedir> <nss_base_group></nss_base_group> <nss_base_passwd></nss_base_passwd> <nss_base_shadow></nss_base_shadow> <pam_password>exop</pam_password> <sssd config:type="boolean">true</sssd> <sssd_ldap_schema>rfc2307</sssd_ldap_schema> <start_autofs config:type="boolean">true</start_autofs> <start_ldap config:type="boolean">true</start_ldap> </ldap> <software> <image/> <instsource></instsource> <packages config:type="list"> <package>sssd</package> <package>krb5-client</package> <package>autofs</package> </packages> </software> </profile> ----------- When loading this profile again inside the Autoinstall module, the "Use Kerberos" checkbox is in **disabled** state. So, maybe there is a XML tag for this "Use Kerberos" checkbox missing? Or how does Yast decide if this checkbox is enabled or disabled? Reproducible: Always Steps to Reproduce: 1. Enable the "Use Kerberos" checkbox in "LDAP Client" -> "Advanced Settings" of the Autoinstall module 2. Save the XML profile 3. Restart Autoinstall module and load the XML Actual Results: The "Use Kerberos" checkbox will now be disabled! An installation using this profile will result in "auth_provider = ldap" instead of "auth_provider = krb5" in /etc/sssd.conf Expected Results: The "Use Kerberos" checkbox should stay enabled and "auth_provider = krb5" in /etc/sssd.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ug@suse.com |jsuchome@suse.com Severity|Normal |Major -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c1 --- Comment #1 from Jiří Suchomel <jsuchome@suse.com> 2012-09-06 07:56:28 UTC --- Created an attachment (id=504658) --> (http://bugzilla.novell.com/attachment.cgi?id=504658) patch for /usr/share/YaST2/modules/Ldap.ycp Please try to 1. Patch your /usr/share/YaST2/modules/Ldap.ycp 2. Run 'ycpc -c /usr/share/YaST2/modules/Ldap.ycp' 3. Run autoyast config again, to generate xml -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |joschibrauchle@gmx.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c3 Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|joschibrauchle@gmx.de | --- Comment #3 from Joschi Brauchle <joschibrauchle@gmx.de> 2012-09-06 09:57:50 UTC --- Hello, your patch does solve the problem of the "Use Kerberos" checkbox being disabled after reloading the XML in the Autoinstall module. Unfortunately, using this new XML during an autoinstallation still does not enable Kerberos for SSSD. This is the ldap part of my XML profile: ------ <ldap> <create_ldap config:type="boolean">false</create_ldap> <file_server config:type="boolean">false</file_server> <krb5_kdcip>kerberos.server.com</krb5_kdcip> <krb5_realm>KERBEROS.REALM</krb5_realm> <ldap_domain>ou=users,dc=some</ldap_domain> <ldap_server>ldap.server.com</ldap_server> <ldap_tls config:type="boolean">false</ldap_tls> <login_enabled config:type="boolean">true</login_enabled> <member_attribute>member</member_attribute> <mkhomedir config:type="boolean">false</mkhomedir> <pam_password>exop</pam_password> <nss_base_group>ou=groups,dc=some</nss_base_group> <nss_base_passwd>ou=users,dc=some</nss_base_passwd> <nss_base_shadow>ou=users,dc=some</nss_base_shadow> <sssd config:type="boolean">true</sssd> <sssd_ldap_schema>rfc2307</sssd_ldap_schema> <sssd_with_krb config:type="boolean">true</sssd_with_krb> <!-- New tag --> <start_autofs config:type="boolean">true</start_autofs> <start_ldap config:type="boolean">true</start_ldap> <tls_cacertfile>/etc/ssl/certs/LOCAL-CA.pem</tls_cacertfile> </ldap> ------ And this is the /etc/sssd/sssd.conf after AutoYast installation with above profile: ------ [sssd] config_file_version = 2 services = nss,pam domains = default # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. ; domains = LDAP [nss] [pam] # Section created by YaST [domain/default] ldap_uri = ldap://ldap.server.com ldap_search_base = ou=users,dc=some ldap_schema = rfc2307 id_provider = ldap ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid ldap_id_use_start_tls = False enumerate = False cache_credentials = False ldap_tls_cacert = /etc/ssl/certs/LOCAL-CA.pem chpass_provider = ldap auth_provider = ldap ------ Clearly, the Kerberos settings are missing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c4 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |joschibrauchle@gmx.de --- Comment #4 from Jiří Suchomel <jsuchome@suse.com> 2012-09-06 10:12:11 UTC --- (In reply to comment #3)
Hello,
your patch does solve the problem of the "Use Kerberos" checkbox being disabled after reloading the XML in the Autoinstall module.
Unfortunately, using this new XML during an autoinstallation still does not enable Kerberos for SSSD.
Sure, the patch has to be present in the installed package as well. Should I prepare test yast2-ldap-client package for you? Could you add it (as some kind of extra source) during your autoinstallation? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c5 --- Comment #5 from Joschi Brauchle <joschibrauchle@gmx.de> 2012-09-06 10:46:46 UTC --- An RPM would be easiest to test for me. I could also try to add the patch with a chroot script, but I'm not sure if that would be too late? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c6 --- Comment #6 from Jiří Suchomel <jsuchome@suse.com> 2012-09-06 11:16:07 UTC --- Try with yast2-ldap-client-2.22.9 from https://build.opensuse.org/package/binaries?package=yast2-ldap-client&project=home%3Ajsuchome&repository=openSUSE_12.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c7 Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|joschibrauchle@gmx.de | Severity|Normal |Major --- Comment #7 from Joschi Brauchle <joschibrauchle@gmx.de> 2012-09-06 13:59:56 UTC --- Ok, after doing a test AutoYast installation I can confirm that the problem is fixed there as well! Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Joschi Brauchle <joschibrauchle@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c8 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #8 from Jiří Suchomel <jsuchome@suse.com> 2012-09-06 14:17:04 UTC --- I think we'll need to release update, hopefully together with the other bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:49177:low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-09-11 12:00:13 CEST --- This is an autogenerated message for OBS integration: This bug (778949) was mentioned in https://build.opensuse.org/request/show/133610 Factory / yast2-ldap-client -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c13 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #13 from Jiří Suchomel <jsuchome@suse.com> 2012-09-13 10:16:55 UTC --- yast2-ldap-client and yast2-kerberos-client packages need to be updated for 12.2 too. Can I proceed? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c14 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|maintenance@opensuse.org | --- Comment #14 from Benjamin Brunner <bbrunner@suse.com> 2012-09-13 16:28:57 CEST --- Jiří could you create a maintenancerequest with the updated packages please. We'll start an update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c16 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #16 from Jiří Suchomel <jsuchome@suse.com> 2012-09-17 06:14:43 UTC --- 12.2:
osc rq show 134561 Request: #134561
maintenance_incident: home:jsuchome:12.2/yast2-ldap-client -> openSUSE:Maintenance (release in openSUSE:12.2:Update) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c18 --- Comment #18 from Jiří Suchomel <jsuchome@suse.com> 2012-09-18 07:39:21 UTC --- created request id 21719 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c19 --- Comment #19 from Swamp Workflow Management <swamp@suse.de> 2012-09-26 15:09:00 UTC --- openSUSE-RU-2012:1250-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 778949,779261 CVE References: Sources used: openSUSE 12.2 (src): yast2-ldap-client-2.22.10-2.4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c20 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:49177:low |maint:running:49177:low | |maint:released:sle11-sp2:49 | |241 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> 2012-10-04 11:03:11 UTC --- Update released for: yast2-kerberos-client, yast2-ldap-client Products: SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=778949 https://bugzilla.novell.com/show_bug.cgi?id=778949#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:49177:low |. |maint:released:sle11-sp2:49 | |241 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com