Merge pull request 'Fix offline auth and DNS failure handling' (#28 ) from unbrot/fedora-OEMDRV:main into main

Reviewed-on: #28
logon_script: check DNS resolution before proceeding
2026-05-07 12:46:16 +02:00 · 2026-05-07 12:26:07 +02:00 · 2026-05-07 12:26:07 +02:00 · 2026-05-07 12:26:07 +02:00 · 2026-05-07 12:26:07 +02:00
4 changed files with 31 additions and 2 deletions
@@ -30,14 +30,15 @@ timezone Europe/Berlin --utc
@libreoffice
@office
@sound-and-video
+#Okular is kde only, use evince on cinnamon
+#okular
+evince
 libva-utils
 libavcodec-freeworld
 mesa-va-drivers-freeworld
 ffmpeg
@vlc
 python-vlc
-#@development-tools
-#@editors
@firefox
 thunderbird
 openssh-server
@@ -30,6 +30,7 @@ mount -L OEMDRV /mnt/anaconda_pre
@libreoffice
@office
@sound-and-video
+okular
 libva-utils
 libavcodec-freeworld
 mesa-va-drivers-freeworld
@@ -17,6 +17,23 @@ if [ "$EUID" -eq 0 ]; then
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi

+# Check DNS resolution before proceeding - logon depends on IPA and Nextcloud being reachable
+_dns_target="${SERVERFQDN_IPA}"
+while ! getent hosts "${_dns_target}" >/dev/null 2>&1; do
+    elog_add "Warning: DNS resolution failed for ${_dns_target} - network or DNS not ready."
+    echo ""
+    echo "Warning: DNS resolution failed for ${_dns_target}."
+    echo "Please check your network connection and DNS settings before continuing."
+    echo ""
+    printf "  [R]etry  [C]ontinue anyway  [Q]uit: "
+    read -r _dns_choice
+    case "${_dns_choice}" in
+        [Cc]) elog_add "Continuing despite DNS failure (user choice)."; break ;;
+        [Qq]) elog_add "Script aborted by user due to DNS failure."; exit 1 ;;
+        *) elog_add "Retrying DNS check for ${_dns_target}..." ;;
+    esac
+done
+
 #Check for needed python-modules
 #For WEBDAV
 python -c "import webdav3">/dev/null 2>&1
@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi

+# Ensure krb5_validate = False in sssd.conf to restore offline auth
+# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
+#  fails with EACCES before the cached-credential fallback is reached)
+_SSSD_CONF="/etc/sssd/sssd.conf"
+if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
+    echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
+    sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
+    systemctl restart sssd
+fi
+
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."
Author	SHA1	Message	Date
obel1x	113bcc9a5d	Merge pull request 'Fix offline auth and DNS failure handling' (#28 ) from unbrot/fedora-OEMDRV:main into main Reviewed-on: #28	2026-05-07 12:46:16 +02:00
Daniel unbrot Pätzold	253030228f	logon_script: check DNS resolution before proceeding If the IPA server FQDN cannot be resolved at startup (e.g. due to a DNSSEC outage or network not yet ready), the logon script would silently fail later. The new check prompts the user to retry, continue anyway, or quit, so the problem is immediately visible. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-07 12:26:07 +02:00
Daniel unbrot Pätzold	f59ba70bb9	sync_client_software: patch sssd.conf to add krb5_validate = False SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab before the cached-credential fallback is reached. Adding krb5_validate = False disables the keytab validation step and restores reliable offline authentication for FreeIPA domain users. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-07 12:26:07 +02:00
Daniel unbrot Pätzold	3906d19a4f	kickstart: cinnamon - Okular is kde only, use evince on cinnamon	2026-05-07 12:26:07 +02:00
Daniel unbrot Pätzold	9b4d68ca72	kickstarter: Include ocular in packages	2026-05-07 12:26:07 +02:00