Install libnss packages in compat layer (instead of making host symlinks)

[bedroge]

As reported by Bart, the symlink will not work if the host library is too new for the compatibility layer.

[bartoldeman]

the relevant packages are:

sys-auth/nss-pam-ldapd
sys-auth/sssd

but neither install completely out of the box on Gentoo prefix. Centrify DC is a commercial solution, you can't go without symlinks there for libnss_centrifydc.so.2.

For nss-pam-ldapd, it needs --with-ldap-conf-file=${EPREFIX}/etc/nslcd.conf. Without the daemon running that file is unused, it's just to avoid installing out of the prefix. libnss_ldap.so.2 reads from a socket, at /run/nslcd/socket (set without ${EPREFIX} in the ebuild).

For sssd I had to disable the acl USE flag, otherwise it'll pull in Samba, and also use --with-xml-catalog-path="${EPREFIX}"/etc/xml/catalog. Then the libnss_sss.so.2 reads from ${EPREFIX}"/var/lib/sss/pipes so that needs to be symlinked, or otherwise overridden to use plain /var/lib/sss/pipes in the ebuild (via --with-pipe-path).

Fundamentally these two packages both install too much for us, as we only need the libnss component, and not the daemon.

The versions under https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth work but are a little out of date now.

[amadio]

I can help with what pertains to fixes in Gentoo prefix, but since glibc from prefix is used, it may be difficult to integrate well with the host authentication libraries. If ComputeCanada patched it to work, please submit pull requests with the fixes, we would like to get those in Gentoo.

[bartoldeman]

@amadio I'll submit a pull request, but need some guidance to avoid doing something not generally applicable?

In actual fact if you look at: https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-auth/sssd/sssd-2.6.0-r2.ebuild you see that what we really need is the ! multilib_is_native_abi path, i.e. just build the libraries but not the daemon. What we have is the CentOS/Rocky host daemon writing to /var/lib/sss and the Gentoo Prefix client library reading from files in there. I found some other packages that have a daemon USE flag so it may be reasonable to add that.

The next thing is then what USE flag to use for

        --with-pipe-path="${EPREFIX}"/var/lib/sss/pipes
        --with-mcache-path="${EPREFIX}"/var/lib/sss/mc

we really need

        --with-pipe-path=/var/lib/sss/pipes
        --with-mcache-path=/var/lib/sss/mc

but if Gentoo Prefix provides the daemon (anyone doing that?), then obviously those paths do need to be prefixed.

Just wondering if there needs to be a more general USE flag since something similar happens with glibc, which prefixes e.g.

#define _PATH_UTMP      "/cvmfs/soft.computecanada.ca/gentoo/2020/var/run/utmp"

in $EPREFIX/usr/include/paths.h but this utmp file is never written too. We symlink it but that seems sub-optimal, and does anyone use a prefix-ed systemd-update-utmp.service to write to $EPREFIX/var/run/utmp (where $EPREFIX is not on an r/o cvmfs mount obviously)

[bartoldeman]

@bedroge https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth/nss-pam-ldapd and https://github.com/ComputeCanada/gentoo-overlay/tree/main/sys-auth/sssd now have updated ebuilds that work with pristine Gentoo prefix bootstraps (ie. no pam, no kerberos installed).

You'll need to install them with a USE flag though:

USE="-nslcd" emerge nss-pam-ldapd
USE="-daemon -man" emerge sssd

the nss-pam-ldapd ebuild is fairly clean vs upstream Gentoo, as upstream nss-pam-ldapd lets you simply pass --disable-nslcd to configure, but sssd is a different story, so that ebuild has a ton of hacks to fool configure.

The NSS plugins don't really on symlinks, but glibc still does to use them, that is, the $EPREFIX/etc/nsswitch.conf -> /etc/nsswitch.conf symlink is still needed.