New Package Request: multiple - packages required for AD integration

[karypid]

Please try to answer the following questions about the package you are requesting:

1. Is the package installed by default in Fedora Workstation? YES

2. What, if any, are the additional dependencies on the package?

Checking out tree c3de5ab... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates-testing updates fedora copr:copr.fedorainfracloud.org:phracek:PyCharm rpmfusion-nonfree-nvidia-driver rpmfusion-nonfree-steam google-chrome updates-archive
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2023-12-11T14:43:50Z solvables: 4
rpm-md repo 'updates-testing' (cached); generated: 2024-04-11T00:50:51Z solvables: 14029
rpm-md repo 'updates' (cached); generated: 2024-02-13T17:21:08Z solvables: 0
rpm-md repo 'fedora' (cached); generated: 2024-04-10T08:40:17Z solvables: 74881
rpm-md repo 'copr:copr.fedorainfracloud.org:phracek:PyCharm' (cached); generated: 2024-03-18T11:54:41Z solvables: 14
rpm-md repo 'rpmfusion-nonfree-nvidia-driver' (cached); generated: 2024-03-24T11:36:11Z solvables: 16
rpm-md repo 'rpmfusion-nonfree-steam' (cached); generated: 2024-03-24T13:27:05Z solvables: 2
rpm-md repo 'google-chrome' (cached); generated: 2024-04-10T17:57:17Z solvables: 3
rpm-md repo 'updates-archive' (cached); generated: 2023-10-06T17:04:49Z solvables: 0
Resolving dependencies... done
Installing 11 packages:
  adcli-0.9.2-6.fc40.x86_64 (fedora)
  cyrus-sasl-gssapi-2.1.28-19.fc40.x86_64 (fedora)
  libnetapi-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  oddjob-0.34.7-12.fc40.x86_64 (fedora)
  oddjob-mkhomedir-0.34.7-12.fc40.x86_64 (fedora)
  samba-common-tools-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  samba-ldb-ldap-modules-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  samba-libs-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  sssd-ad-2.9.4-4.fc40.x86_64 (fedora)
  sssd-common-pac-2.9.4-4.fc40.x86_64 (fedora)
  sssd-krb5-common-2.9.4-4.fc40.x86_64 (fedora)
Exiting because of '--dry-run' option

3. What is the size of the package and its dependencies?

rpm -qi adcli-0.9.2-6.fc40.x86_64 cyrus-sasl-gssapi-2.1.28-19.fc40.x86_64 libnetapi-2:4.20.0-0.5.rc4.fc40.x86_64 oddjob-0.34.7-12.fc40.x86_64 oddjob-mkhomedir-0.34.7-12.fc40.x86_64 samba-common-tools-2:4.20.0-0.5.rc4.fc40.x86_64 samba-ldb-ldap-modules-2:4.20.0-0.5.rc4.fc40.x86_64 samba-libs-2:4.20.0-0.5.rc4.fc40.x86_64 sssd-ad-2.9.4-4.fc40.x86_64 sssd-common-pac-2.9.4-4.fc40.x86_64 sssd-krb5-common-2.9.4-4.fc40.x86_64 | grep -E "Name|Size"

Name        : adcli
Size        : 347104
Name        : cyrus-sasl-gssapi
Size        : 45304
Name        : libnetapi
Size        : 494930
Name        : oddjob
Size        : 142513
Name        : oddjob-mkhomedir
Size        : 53830
Name        : samba-common-tools
Size        : 1359806
Name        : samba-ldb-ldap-modules
Size        : 34446
Name        : samba-libs
Size        : 367542
Name        : sssd-ad
Size        : 439390
Name        : sssd-common-pac
Size        : 234424
Name        : sssd-krb5-common
Size        : 216137

4. What problem are you trying to solve with this package? Or what functionality does the package provide?

In order to join an active directory domain and perform "Enterprise Login", Fedora needs these packages. In Fedora Workstation they are present and you can do this without issue. In Silverblue the GUI hangs with no error, and the system log shows that the reason it's not working is these missing packages.

Bug: https://github.com/fedora-silverblue/issue-tracker/issues/320 Discussions thread: https://discussion.fedoraproject.org/t/bug-in-f40-packages-missing-for-ad-integration/112410/3

5. Can the software provided by the package be run from a container? Explain why or why not.

I am not sure.

6. Can the tool(s) provided by the package be helpful in debugging container runtime issues?

No (n/a)

7. Can the tool(s) provided by the package be helpful in debugging networking issues?

Yes, provided you are investigating AD networking problems. The samba-common-tools package has the "net" command which has useful utilities for domain operations. Same for adcli which allows you to check users, computer accounts, etc.

8. Is it possible to layer the package locally via rpm-ostree install <package>? Explain why or why not.

Yes, this is what I do in order to get things to work. I am able to join the domain and login using AD accounts.

My 5 cents is that Silverblue should pick a consistent option, that is either:

1) Include these to be in-sync with Fedora workstation 2) Modify the GNOME settings panel for Users to include auto-installing "on the fly" if the user chooses to join a domain. This way they are not 3) At least show a proper message if the user tries to add an Enterprise Login account, explaining that the packages are missing and the user must install them manually.

[travier]

Thanks a lot for doing this. I'll look at why those packages are not included in Silverblue even though they are in Workstation. I think we should just add them if it's the case.

[travier]

The sum of all the sizes mentioned above is 3735426 so about 3MB which is negligible for Silverblue so definitely voting in favor of inclusion.

[travier]

From the comps groups:

  <group>
    <id>domain-client</id>
    <_name>Domain Membership</_name>
    <_description>Support for joining a FreeIPA or Active Directory Domain</_description>
    <default>false</default>
    <packagelist>
      <packagereq type="mandatory">adcli</packagereq>
      <packagereq type="mandatory">freeipa-client</packagereq>
      <packagereq type="mandatory">oddjob-mkhomedir</packagereq>
      <packagereq type="mandatory">samba-common-tools</packagereq>
      <packagereq type="mandatory">samba-winbind</packagereq>
      <packagereq type="mandatory">sssd-ad</packagereq>
      <packagereq type="mandatory">sssd-ipa</packagereq>
      <packagereq type="default">libsss_autofs</packagereq>
      <packagereq type="default">libsss_sudo</packagereq>
      <packagereq type="default">sssd-nfs-idmap</packagereq>
    </packagelist>
  </group>

I'm tempted to add all of those.

[travier]

  <environment>
    <id>workstation-product-environment</id>
    <!-- Translators: Don't translate this product name -->
    <_name>Fedora Workstation</_name>
    <_description>Fedora Workstation is a user friendly desktop system for laptops and PCs.</_description>
    <display_order>2</display_order>
    <!-- Keep this list in sync with the list in fedora-workstation-common.ks. -->
    <grouplist>
      <groupid>container-management</groupid>
      <groupid>core</groupid>
      <groupid>desktop-accessibility</groupid>
      <groupid>firefox</groupid>
      <groupid>fonts</groupid>
      <groupid>gnome-desktop</groupid>
      <groupid>guest-desktop-agents</groupid>
      <groupid>hardware-support</groupid>
      <groupid>libreoffice</groupid>
      <groupid>multimedia</groupid>
      <groupid>networkmanager-submodules</groupid>
      <groupid>printing</groupid>
      <groupid>workstation-product</groupid>
    </grouplist>
    <optionlist>
      <groupid>arm-tools</groupid>
      <groupid>domain-client</groupid>
      <groupid default="true">base-x</groupid>
    </optionlist>
  </environment>

It's in the optionlist here. Not sure what this means.

From https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups:

All optional groups (defined by the group keyword) for that environment (listed in the environment's optionlist) are shown at the top of the right-hand pane.

[travier]

See: https://gitlab.com/fedora/ostree/sig/-/issues/24 PR: PR: https://pagure.io/workstation-ostree-config/pull-request/504

[travier]

Precision: I did a fresh install of Fedora Workstation 40 and it's not installed by default.

[AdamWill]

On Workstation and other non-atomic installs, if you try to enrol into a realm via realmd - e.g. via the button on gnome-initial-setup for this, or using cockpit, or running realm join at a console - realmd will automatically install the appropriate client packages (it doesn't install this package group, it has its own list of appropriate packages for different types of realm on different distros, and uses packagekit directly to install whatever it decides is appropriate. which I hate because it isn't logged anywhere, but that's by the by!)

[karypid]

Apologies, I simply assumed that Workstation just had the required packages pre-installed.

This is an interesting situation, I wonder how an "atomic" distro should handle this...

Should I close this bug then? Let the discussion resume in https://github.com/fedora-silverblue/issue-tracker/issues/320

[AdamWill]

no, no, I think it's fairly reasonable for Silverblue to just bake the packages in since they can't be installed on-demand, as the PR does. at least for now, until maybe the OCI stuff is further along and we can say it's totally normal to layer the additional packages in, or something.

[travier]

That's the direction I'm leaning as well (including until we move to OCI images).