add better CentOS 8 support

[ghoneycutt]

Hi @dacron Thank you for your contribution! Could you please remove rhel-8 from travis so we are not duplicating tests. Also could you mention how this is helping add better support.

[dacron]

Hi @ghoneycutt certainly. The big thing that adds "better" CentOS support is that the proposed changes in manifests/init.pp ensure that if you are running CentOS major release 8 or greater you enter the block for authselect as opposed to authconfig.

This is as the conditional block on line 194 previously only used facts['os']['name'] == 'RedHat' and versioncmp(majorrelase, 8) >= 8. By changing the first half of the condition we can force CentOS to go down this route.

[ghoneycutt]

This would duplicate the data already in https://github.com/sgnl05/sgnl05-sssd/blob/master/data/os/RedHat/8.yaml

Since the data for RedHat and CentOS should be the same, suggest switching to os.family.

[dacron]

@ghoneycutt I've removes data/CentOS/8.yaml. Turns out that the required data is already there, but the structure in data is slightly confusing in that data/os/os_majrel is actually data/osfamily/os_majrel:

hierarchy:
  - name: "osfamily/major_release/architecture"
    path: "os/%{facts.os.family}/%{facts.os.release.major}/%{facts.os.architecture}.yaml"

  - name: "osfamily/major_release"
    path: "os/%{facts.os.family}/%{facts.os.release.major}.yaml"

  - name: "osfamily"
    path: "osfamily/%{facts.os.family}.yaml"

[realvinx]

What do I need to do to support CentOS8 ?

[ghoneycutt]

Running the acceptance test I get this

An error occurred while loading ./spec/acceptance/00_sssd_spec.rb.
Failure/Error: require 'beaker-rspec'
Beaker::Host::CommandFailure:
  Host 'centos8' exited with 127 running:
   /sbin/service sshd restart
  Last 10 lines of output were:
    bash: /sbin/service: No such file or directory

Did service move to /usr/bin or does a package need to be installed?

[dacron]

Looks like it has been moved to /usr/sbin. I don't have a great enough understanding of rspec tests to fix this unfortunately :( rpm-qilp $PACKAGE below.

[adacre@alex-workstation 08:43:27] spec > rpm -qilp initscripts-10.00.4-1.el8.x86_64.rpm
warning: initscripts-10.00.4-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
Name        : initscripts
Version     : 10.00.4
Release     : 1.el8
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 1096618
License     : GPLv2
Signature   : RSA/SHA256, Wed 04 Dec 2019 23:58:04 UTC, Key ID 05b555b38483c65d
Source RPM  : initscripts-10.00.4-1.el8.src.rpm
Build Date  : Fri 08 Nov 2019 18:36:09 UTC
Build Host  : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager    : CentOS Buildsys <bugs@centos.org>
Vendor      : CentOS
URL         : https://github.com/fedora-sysv/initscripts
Summary     : Basic support for legacy System V init scripts
Description :
This package provides basic support for legacy System V init scripts, and some
other legacy tools & utilities.
/etc/rc.d
/etc/rc.d/init.d
/etc/rc.d/init.d/functions
/etc/rc.d/rc.local
/etc/rc.d/rc0.d
/etc/rc.d/rc1.d
/etc/rc.d/rc2.d
/etc/rc.d/rc3.d
/etc/rc.d/rc4.d
/etc/rc.d/rc5.d
/etc/rc.d/rc6.d
/etc/rc0.d
/etc/rc1.d
/etc/rc2.d
/etc/rc3.d
/etc/rc4.d
/etc/rc5.d
/etc/rc6.d
/etc/sysconfig/console
/etc/sysconfig/modules
/usr/bin/usleep
/usr/lib/.build-id
/usr/lib/.build-id/1e
/usr/lib/.build-id/1e/147107b64e1ca44b3438babe744427674b99c3
/usr/lib/.build-id/3b
/usr/lib/.build-id/3b/b105d824b5147293de44a853b49aed248a98b3
/usr/lib/.build-id/a6
/usr/lib/.build-id/a6/41b5bc24577c3db6b190eeb9dbbe28eb5e53f1
/usr/lib/.build-id/ff
/usr/lib/.build-id/ff/abdcac3325d6b9a6fa7f19f1f69b09f7e7af29
/usr/lib/systemd/system/import-state.service
/usr/lib/systemd/system/loadmodules.service
/usr/lib/udev/rename_device
/usr/lib/udev/rules.d/60-net.rules
/usr/libexec/import-state
/usr/libexec/initscripts
/usr/libexec/initscripts/legacy-actions
/usr/libexec/loadmodules
/usr/sbin/consoletype
/usr/sbin/genhostid
/usr/sbin/service
/usr/share/doc/initscripts
/usr/share/doc/initscripts/sysconfig.txt
/usr/share/licenses/initscripts
/usr/share/licenses/initscripts/COPYING
/usr/share/locale/ar/LC_MESSAGES/initscripts.mo
/usr/share/locale/as/LC_MESSAGES/initscripts.mo
/usr/share/locale/ast/LC_MESSAGES/initscripts.mo
/usr/share/locale/bal/LC_MESSAGES/initscripts.mo
/usr/share/locale/bg/LC_MESSAGES/initscripts.mo
/usr/share/locale/bn/LC_MESSAGES/initscripts.mo
/usr/share/locale/bn_IN/LC_MESSAGES/initscripts.mo
/usr/share/locale/bo/LC_MESSAGES/initscripts.mo
/usr/share/locale/br/LC_MESSAGES/initscripts.mo
/usr/share/locale/bs/LC_MESSAGES/initscripts.mo
/usr/share/locale/ca/LC_MESSAGES/initscripts.mo
/usr/share/locale/cs/LC_MESSAGES/initscripts.mo
/usr/share/locale/cy/LC_MESSAGES/initscripts.mo
/usr/share/locale/da/LC_MESSAGES/initscripts.mo
/usr/share/locale/de/LC_MESSAGES/initscripts.mo
/usr/share/locale/el/LC_MESSAGES/initscripts.mo
/usr/share/locale/en_GB/LC_MESSAGES/initscripts.mo
/usr/share/locale/es/LC_MESSAGES/initscripts.mo
/usr/share/locale/et/LC_MESSAGES/initscripts.mo
/usr/share/locale/eu/LC_MESSAGES/initscripts.mo
/usr/share/locale/fa/LC_MESSAGES/initscripts.mo
/usr/share/locale/fi/LC_MESSAGES/initscripts.mo
/usr/share/locale/fr/LC_MESSAGES/initscripts.mo
/usr/share/locale/ga/LC_MESSAGES/initscripts.mo
/usr/share/locale/gl/LC_MESSAGES/initscripts.mo
/usr/share/locale/gu/LC_MESSAGES/initscripts.mo
/usr/share/locale/he/LC_MESSAGES/initscripts.mo
/usr/share/locale/hi/LC_MESSAGES/initscripts.mo
/usr/share/locale/hr/LC_MESSAGES/initscripts.mo
/usr/share/locale/hu/LC_MESSAGES/initscripts.mo
/usr/share/locale/hy/LC_MESSAGES/initscripts.mo
/usr/share/locale/ia/LC_MESSAGES/initscripts.mo
/usr/share/locale/id/LC_MESSAGES/initscripts.mo
/usr/share/locale/is/LC_MESSAGES/initscripts.mo
/usr/share/locale/it/LC_MESSAGES/initscripts.mo
/usr/share/locale/ja/LC_MESSAGES/initscripts.mo
/usr/share/locale/ka/LC_MESSAGES/initscripts.mo
/usr/share/locale/kk/LC_MESSAGES/initscripts.mo
/usr/share/locale/kn/LC_MESSAGES/initscripts.mo
/usr/share/locale/ko/LC_MESSAGES/initscripts.mo
/usr/share/locale/ks/LC_MESSAGES/initscripts.mo
/usr/share/locale/ku/LC_MESSAGES/initscripts.mo
/usr/share/locale/lo/LC_MESSAGES/initscripts.mo
/usr/share/locale/lt/LC_MESSAGES/initscripts.mo
/usr/share/locale/lv/LC_MESSAGES/initscripts.mo
/usr/share/locale/mai/LC_MESSAGES/initscripts.mo
/usr/share/locale/mk/LC_MESSAGES/initscripts.mo
/usr/share/locale/ml/LC_MESSAGES/initscripts.mo
/usr/share/locale/mr/LC_MESSAGES/initscripts.mo
/usr/share/locale/ms/LC_MESSAGES/initscripts.mo
/usr/share/locale/my/LC_MESSAGES/initscripts.mo
/usr/share/locale/nb/LC_MESSAGES/initscripts.mo
/usr/share/locale/nds/LC_MESSAGES/initscripts.mo
/usr/share/locale/nl/LC_MESSAGES/initscripts.mo
/usr/share/locale/nn/LC_MESSAGES/initscripts.mo
/usr/share/locale/or/LC_MESSAGES/initscripts.mo
/usr/share/locale/pa/LC_MESSAGES/initscripts.mo
/usr/share/locale/pl/LC_MESSAGES/initscripts.mo
/usr/share/locale/pt/LC_MESSAGES/initscripts.mo
/usr/share/locale/pt_BR/LC_MESSAGES/initscripts.mo
/usr/share/locale/ro/LC_MESSAGES/initscripts.mo
/usr/share/locale/ru/LC_MESSAGES/initscripts.mo
/usr/share/locale/si/LC_MESSAGES/initscripts.mo
/usr/share/locale/sk/LC_MESSAGES/initscripts.mo
/usr/share/locale/sl/LC_MESSAGES/initscripts.mo
/usr/share/locale/sq/LC_MESSAGES/initscripts.mo
/usr/share/locale/sr/LC_MESSAGES/initscripts.mo
/usr/share/locale/sr@latin/LC_MESSAGES/initscripts.mo
/usr/share/locale/sv/LC_MESSAGES/initscripts.mo
/usr/share/locale/ta/LC_MESSAGES/initscripts.mo
/usr/share/locale/te/LC_MESSAGES/initscripts.mo
/usr/share/locale/tg/LC_MESSAGES/initscripts.mo
/usr/share/locale/tr/LC_MESSAGES/initscripts.mo
/usr/share/locale/uk/LC_MESSAGES/initscripts.mo
/usr/share/locale/ur/LC_MESSAGES/initscripts.mo
/usr/share/locale/vi/LC_MESSAGES/initscripts.mo
/usr/share/locale/wa/LC_MESSAGES/initscripts.mo
/usr/share/locale/zh_CN/LC_MESSAGES/initscripts.mo
/usr/share/locale/zh_HK/LC_MESSAGES/initscripts.mo
/usr/share/locale/zh_TW/LC_MESSAGES/initscripts.mo
/usr/share/man/man1/consoletype.1.gz
/usr/share/man/man1/genhostid.1.gz
/usr/share/man/man1/usleep.1.gz
/usr/share/man/man8/service.8.gz

[realvinx]

# which service /usr/sbin/service

I don't know anything about these tests too, but I'm wondering why service is used here to start sshd and not systemctl.

[dacron]

added service_provider key to EL8 facts hash.

[realvinx]

here's what I get during puppet run on CentOS8 ... authconfig vs. authselect ?

Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: usage: authconfig [-h] [--enablenis] [--disablenis] [--nisdomain <domain>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--nisserver <server>] [--enableldap] [--disableldap]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enableldapauth] [--disableldapauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--ldapserver <server>] [--ldapbasedn <dn>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enableldaptls] [--disableldaptls] [--enableldapstarttls]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disableldapstarttls] [--enablerfc2307bis]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablerfc2307bis] [--enablesmartcard]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablesmartcard] [--smartcardaction <0=Lock|1=Ignore>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablerequiresmartcard] [--disablerequiresmartcard]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablefingerprint] [--disablefingerprint] [--enablekrb5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablekrb5] [--krb5kdc <server>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--krb5adminserver <server>] [--krb5realm <realm>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablekrb5kdcdns] [--disablekrb5kdcdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablekrb5realmdns] [--disablekrb5realmdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablewinbind] [--disablewinbind] [--enablewinbindauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablewinbindauth] [--winbindjoin <Administrator>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablewinbindkrb5] [--disablewinbindkrb5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbworkgroup <workgroup>] [--enablesssd] [--disablesssd]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablesssdauth] [--disablesssdauth] [--enablecachecreds]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablecachecreds] [--enablepamaccess]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablepamaccess] [--enablemkhomedir]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablemkhomedir] [--enablefaillock] [--disablefaillock]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--passminlen <number>] [--passminclass <number>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--passmaxrepeat <number>] [--passmaxclassrepeat <number>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablereqlower] [--disablereqlower] [--enablerequpper]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablerequpper] [--enablereqdigit] [--disablereqdigit]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablereqother] [--disablereqother] [--nostart]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--updateall] [--update] [--kickstart] [--test] [--probe]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--savebackup <name>] [--restorebackup <name>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--restorelastbackup] [--enablecache] [--disablecache]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enableecryptfs] [--disableecryptfs] [--enableshadow]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disableshadow] [--useshadow] [--enablemd5] [--disablemd5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--usemd5]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--passalgo <descrypt|bigcrypt|md5|sha256|sha512>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--ldaploadcacert <URL>] [--smartcardmodule <module>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbsecurity <user|server|domain|ads>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbrealm <realm>] [--smbservers <servers>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbidmaprange <lowest-highest>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbidmapuid <lowest-highest>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--smbidmapgid <lowest-highest>] [--winbindseparator <\>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--winbindtemplatehomedir </home/%D/%U>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--winbindtemplateshell </bin/false>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--enablewinbindusedefaultdomain]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablewinbindusedefaultdomain] [--enablewinbindoffline]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablewinbindoffline] [--enablepreferdns]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablepreferdns] [--enableforcelegacy]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disableforcelegacy] [--enablelocauthorize]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablelocauthorize] [--enablesysnetauth]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns:                   [--disablesysnetauth] [--faillockargs <options>]
Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: authconfig: error: unrecognized arguments: with-mkhomedir
Error: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0]
Error: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] (corrective)
Error: Systemd start for sssd failed!

CentOS7 works.

[ghoneycutt]

Waiting on https://github.com/puppetlabs/beaker/pull/1623 to provide EL8 support.

In the meantime, if you update the Gemfile so the beaker gem looks as below, it should work.

  gem 'beaker', :github => 'florianfa/beaker', :branch => 'el8', :require => false

[realvinx]

I don't know anything about beaker and puppet acceptance testing, but I think the sssd-module does not switch to authselect with CentOS8.

I added some if-clauses quick and dirty to /etc/puppetlabs/code/modules/sssd/manifests/init.pp

• ( $::facts['os']['name'] == 'CentOS' and versioncmp($::facts['os']['release']['major'], '8') >= 0) at the top of this case $::osfamily and a bit below to use a different path to authselect

  case $::osfamily {
  'RedHat': {
    #if ($::facts['os']['name'] == 'Fedora' and versioncmp($::facts['os']['release']['major'], '28') >= 0) or
    #( $::facts['os']['name'] == 'Redhat' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {
    if ($::facts['os']['name'] == 'Fedora' and versioncmp($::facts['os']['release']['major'], '28') >= 0) or
    ( $::facts['os']['name'] == 'Redhat' and versioncmp($::facts['os']['release']['major'], '8') >= 0) or
    ( $::facts['os']['name'] == 'CentOS' and versioncmp($::facts['os']['release']['major'], '8') >= 0) {
      if $ensure == 'present' {
        $authselect_options = join(
          concat(
            [$authselect_profile],
            $mkhomedir ? {
              true  => $enable_mkhomedir_flags,
              false => $disable_mkhomedir_flags,
            }
          ),
          ' ',
        )
      } else {
        $authselect_options = join(concat([$authselect_profile],$ensure_absent_flags), ' ')
      }
  
      #authselect is in /usr/bin/authselect on CentOS8 not /bin/authselect
      if ($::facts['os']['name'] == 'CentOS' and versioncmp($::facts['os']['release']['major'], '8') >=0) {
        $authselect_exec = '/usr/bin/authselect'
      } else {
        $authselect_exec = '/bin/authselect'
      }

With that puppet-run executes without errors and uses authselect... BUT my LDAP-sssd-auth is still unsuccessful ! sshd[6962]: pam_sss(sshd:auth): received for user myusername: 9 (Authentication service cannot retrieve authentication info)

I'm not sure if that's a problem in the sssd-module or if anything else on my host breaks it. Still looking into that, maybe someone else can test this.

[jehane]

Beaker has been updated to add CentOS 8 support. Are your planning to update the module soon ?

[zeekus]

I see the same issue.

Seems the module fails at the last execution line with Centos8.

Notice: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: authconfig: error: unrecognized arguments: with-mkhomedir Error: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] Error: /Stage[main]/Sssd/Exec[authconfig-mkhomedir]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/authconfig with-mkhomedir --update' returned 2 instead of one of [0] (corrective)

It seems for Centos8 the command should be just 'authconfig --update'

[root@lpe2d ~]# /usr/sbin/authconfig --update Running authconfig compatibility tool. The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts. See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect check Executing: /usr/bin/authselect select sssd with-mkhomedir --force Executing: /usr/bin/systemctl enable sssd.service Executing: /usr/bin/systemctl stop sssd.service Executing: /usr/bin/systemctl start sssd.service Executing: /usr/bin/systemctl enable oddjobd.service Executing: /usr/bin/systemctl stop oddjobd.service Executing: /usr/bin/systemctl start oddjobd.service

[zeekus]

I was able to get this module to work with centos8.

The problem seems to be some Yaml files for Centos are missing.

create mode 100644 data/os/Centos/8.yaml

YAML file data/os/Centos/8.yaml

---
sssd::extra_packages:
  - 'authselect'
  - 'oddjob-mkhomedir'

sssd::manage_oddjobd: true

sssd::enable_mkhomedir_flags:
  - 'enablemkhomedir'

sssd::disable_mkhomedir_flags: []

[a-yip2]

Using the latest version mod 'sgnl05-sssd', '3.1.0' and still having the exact same issue.

I think the problem is a lapse of focus in following the logic - the module is still using authconfig as a wrapper in Centos 8, but the os file used the new syntax. The issue is caused by a mix of wrong syntax.

The 8.yaml file in /modules/sssd/data/os/RedHat

---

sssd::extra_packages:

• 'authselect'
• 'oddjob-mkhomedir'

sssd::manage_oddjobd: true

**sssd::enable_mkhomedir_flags:

• 'with-mkhomedir'**

sssd::disable_mkhomedir_flags: []

To fix the issue, I only have to change the enable_mkhomedir_flags to the correct one for authconfig:

---

sssd::extra_packages:

• 'authselect'
• 'oddjob-mkhomedir'

sssd::manage_oddjobd: true

**sssd::enable_mkhomedir_flags:

• '--enablemkhomedir'**

sssd::disable_mkhomedir_flags: []