Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Package Request: multiple - packages required for AD integration #550

Open
karypid opened this issue Apr 11, 2024 · 10 comments
Open

New Package Request: multiple - packages required for AD integration #550

karypid opened this issue Apr 11, 2024 · 10 comments
Labels
enhancement New feature or request kinoite Also affect Fedora Kinoite

Comments

@karypid
Copy link

karypid commented Apr 11, 2024

Please try to answer the following questions about the package you are requesting:

  1. Is the package installed by default in Fedora Workstation? YES

  2. What, if any, are the additional dependencies on the package?

Checking out tree c3de5ab... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates-testing updates fedora copr:copr.fedorainfracloud.org:phracek:PyCharm rpmfusion-nonfree-nvidia-driver rpmfusion-nonfree-steam google-chrome updates-archive
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2023-12-11T14:43:50Z solvables: 4
rpm-md repo 'updates-testing' (cached); generated: 2024-04-11T00:50:51Z solvables: 14029
rpm-md repo 'updates' (cached); generated: 2024-02-13T17:21:08Z solvables: 0
rpm-md repo 'fedora' (cached); generated: 2024-04-10T08:40:17Z solvables: 74881
rpm-md repo 'copr:copr.fedorainfracloud.org:phracek:PyCharm' (cached); generated: 2024-03-18T11:54:41Z solvables: 14
rpm-md repo 'rpmfusion-nonfree-nvidia-driver' (cached); generated: 2024-03-24T11:36:11Z solvables: 16
rpm-md repo 'rpmfusion-nonfree-steam' (cached); generated: 2024-03-24T13:27:05Z solvables: 2
rpm-md repo 'google-chrome' (cached); generated: 2024-04-10T17:57:17Z solvables: 3
rpm-md repo 'updates-archive' (cached); generated: 2023-10-06T17:04:49Z solvables: 0
Resolving dependencies... done
Installing 11 packages:
  adcli-0.9.2-6.fc40.x86_64 (fedora)
  cyrus-sasl-gssapi-2.1.28-19.fc40.x86_64 (fedora)
  libnetapi-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  oddjob-0.34.7-12.fc40.x86_64 (fedora)
  oddjob-mkhomedir-0.34.7-12.fc40.x86_64 (fedora)
  samba-common-tools-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  samba-ldb-ldap-modules-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  samba-libs-2:4.20.0-0.5.rc4.fc40.x86_64 (fedora)
  sssd-ad-2.9.4-4.fc40.x86_64 (fedora)
  sssd-common-pac-2.9.4-4.fc40.x86_64 (fedora)
  sssd-krb5-common-2.9.4-4.fc40.x86_64 (fedora)
Exiting because of '--dry-run' option

  1. What is the size of the package and its dependencies?
rpm -qi adcli-0.9.2-6.fc40.x86_64 cyrus-sasl-gssapi-2.1.28-19.fc40.x86_64 libnetapi-2:4.20.0-0.5.rc4.fc40.x86_64 oddjob-0.34.7-12.fc40.x86_64 oddjob-mkhomedir-0.34.7-12.fc40.x86_64 samba-common-tools-2:4.20.0-0.5.rc4.fc40.x86_64 samba-ldb-ldap-modules-2:4.20.0-0.5.rc4.fc40.x86_64 samba-libs-2:4.20.0-0.5.rc4.fc40.x86_64 sssd-ad-2.9.4-4.fc40.x86_64 sssd-common-pac-2.9.4-4.fc40.x86_64 sssd-krb5-common-2.9.4-4.fc40.x86_64 | grep -E "Name|Size"

Name        : adcli
Size        : 347104
Name        : cyrus-sasl-gssapi
Size        : 45304
Name        : libnetapi
Size        : 494930
Name        : oddjob
Size        : 142513
Name        : oddjob-mkhomedir
Size        : 53830
Name        : samba-common-tools
Size        : 1359806
Name        : samba-ldb-ldap-modules
Size        : 34446
Name        : samba-libs
Size        : 367542
Name        : sssd-ad
Size        : 439390
Name        : sssd-common-pac
Size        : 234424
Name        : sssd-krb5-common
Size        : 216137
  1. What problem are you trying to solve with this package? Or what functionality does the package provide?

In order to join an active directory domain and perform "Enterprise Login", Fedora needs these packages. In Fedora Workstation they are present and you can do this without issue. In Silverblue the GUI hangs with no error, and the system log shows that the reason it's not working is these missing packages.

Bug: #320
Discussions thread: https://discussion.fedoraproject.org/t/bug-in-f40-packages-missing-for-ad-integration/112410/3

  1. Can the software provided by the package be run from a container? Explain why or why not.

I am not sure.

  1. Can the tool(s) provided by the package be helpful in debugging container runtime issues?

No (n/a)

  1. Can the tool(s) provided by the package be helpful in debugging networking issues?

Yes, provided you are investigating AD networking problems. The samba-common-tools package has the "net" command which has useful utilities for domain operations. Same for adcli which allows you to check users, computer accounts, etc.

  1. Is it possible to layer the package locally via rpm-ostree install <package>? Explain why or why not.

Yes, this is what I do in order to get things to work. I am able to join the domain and login using AD accounts.

My 5 cents is that Silverblue should pick a consistent option, that is either:

  1. Include these to be in-sync with Fedora workstation
  2. Modify the GNOME settings panel for Users to include auto-installing "on the fly" if the user chooses to join a domain. This way they are not
  3. At least show a proper message if the user tries to add an Enterprise Login account, explaining that the packages are missing and the user must install them manually.
@karypid karypid added the enhancement New feature or request label Apr 11, 2024
@karypid karypid changed the title New Package Request: <package name> New Package Request: multiple - packages required for AD integration Apr 11, 2024
@travier travier added rawhide f40 Related to Fedora 40 f41 Related to Fedora 41 labels Apr 12, 2024
@travier
Copy link
Member

travier commented Apr 12, 2024

Thanks a lot for doing this. I'll look at why those packages are not included in Silverblue even though they are in Workstation. I think we should just add them if it's the case.

@travier
Copy link
Member

travier commented Apr 12, 2024

The sum of all the sizes mentioned above is 3735426 so about 3MB which is negligible for Silverblue so definitely voting in favor of inclusion.

@travier
Copy link
Member

travier commented Apr 12, 2024

From the comps groups:

  <group>
    <id>domain-client</id>
    <_name>Domain Membership</_name>
    <_description>Support for joining a FreeIPA or Active Directory Domain</_description>
    <default>false</default>
    <packagelist>
      <packagereq type="mandatory">adcli</packagereq>
      <packagereq type="mandatory">freeipa-client</packagereq>
      <packagereq type="mandatory">oddjob-mkhomedir</packagereq>
      <packagereq type="mandatory">samba-common-tools</packagereq>
      <packagereq type="mandatory">samba-winbind</packagereq>
      <packagereq type="mandatory">sssd-ad</packagereq>
      <packagereq type="mandatory">sssd-ipa</packagereq>
      <packagereq type="default">libsss_autofs</packagereq>
      <packagereq type="default">libsss_sudo</packagereq>
      <packagereq type="default">sssd-nfs-idmap</packagereq>
    </packagelist>
  </group>

I'm tempted to add all of those.

@travier
Copy link
Member

travier commented Apr 12, 2024

  <environment>
    <id>workstation-product-environment</id>
    <!-- Translators: Don't translate this product name -->
    <_name>Fedora Workstation</_name>
    <_description>Fedora Workstation is a user friendly desktop system for laptops and PCs.</_description>
    <display_order>2</display_order>
    <!-- Keep this list in sync with the list in fedora-workstation-common.ks. -->
    <grouplist>
      <groupid>container-management</groupid>
      <groupid>core</groupid>
      <groupid>desktop-accessibility</groupid>
      <groupid>firefox</groupid>
      <groupid>fonts</groupid>
      <groupid>gnome-desktop</groupid>
      <groupid>guest-desktop-agents</groupid>
      <groupid>hardware-support</groupid>
      <groupid>libreoffice</groupid>
      <groupid>multimedia</groupid>
      <groupid>networkmanager-submodules</groupid>
      <groupid>printing</groupid>
      <groupid>workstation-product</groupid>
    </grouplist>
    <optionlist>
      <groupid>arm-tools</groupid>
      <groupid>domain-client</groupid>
      <groupid default="true">base-x</groupid>
    </optionlist>
  </environment>

It's in the optionlist here. Not sure what this means.

From https://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups:

All optional groups (defined by the group keyword) for that environment (listed in the environment's optionlist) are shown at the top of the right-hand pane.

@travier
Copy link
Member

travier commented Apr 12, 2024

@travier
Copy link
Member

travier commented Apr 12, 2024

Precision: I did a fresh install of Fedora Workstation 40 and it's not installed by default.

@AdamWill
Copy link

AdamWill commented Apr 12, 2024

On Workstation and other non-atomic installs, if you try to enrol into a realm via realmd - e.g. via the button on gnome-initial-setup for this, or using cockpit, or running realm join at a console - realmd will automatically install the appropriate client packages (it doesn't install this package group, it has its own list of appropriate packages for different types of realm on different distros, and uses packagekit directly to install whatever it decides is appropriate. which I hate because it isn't logged anywhere, but that's by the by!)

@karypid
Copy link
Author

karypid commented Apr 13, 2024

Apologies, I simply assumed that Workstation just had the required packages pre-installed.

This is an interesting situation, I wonder how an "atomic" distro should handle this...

Should I close this bug then? Let the discussion resume in #320

@AdamWill
Copy link

no, no, I think it's fairly reasonable for Silverblue to just bake the packages in since they can't be installed on-demand, as the PR does. at least for now, until maybe the OCI stuff is further along and we can say it's totally normal to layer the additional packages in, or something.

@travier
Copy link
Member

travier commented Apr 15, 2024

That's the direction I'm leaning as well (including until we move to OCI images).

@travier travier added kinoite Also affect Fedora Kinoite and removed rawhide f40 Related to Fedora 40 f41 Related to Fedora 41 labels Apr 29, 2024
castrojo added a commit to ublue-os/bluefin that referenced this issue Sep 14, 2024
We were missing a bunch of packages for this: fedora-silverblue/issue-tracker#550

Gives us feature parity with Workstation. When we switch to bootc we should just pull in `domain-client` instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request kinoite Also affect Fedora Kinoite
Projects
None yet
Development

No branches or pull requests

3 participants