obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix offline auth and DNS failure handling #28

Merged
obel1x merged 4 commits from unbrot/fedora-OEMDRV:main into main 2026-05-07 12:46:16 +02:00
Conversation 0 Commits 4 Files Changed 4
+31 -2
unbrot commented 2026-05-07 12:26:17 +02:00
Contributor
Copy Link
Copy Source

Summary

  • sync_client_software: patch sssd.conf to add krb5_validate = False — SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, causing validate_tgt to fail with EACCES before cached credentials are tried, resulting in a ~2 minute login delay when DNS is unavailable at boot
  • logon_script: check DNS resolution of the IPA server at startup; if it fails, prompt the user to retry, continue anyway, or quit — makes network/DNS problems immediately visible instead of failing silently later

Test plan

  • Boot with network available — DNS check passes silently, no change in behaviour
  • Boot with DNS failing — login prompt shows warning with retry/continue/quit options
  • Boot with network slow/DNS temporarily unavailable — SSSD falls back to cached credentials immediately instead of blocking for ~2 minutes
## Summary - **sync_client_software**: patch `sssd.conf` to add `krb5_validate = False` — SSSD >= 2.10.1 skips the `CAP_DAC_READ_SEARCH` raise in offline mode, causing `validate_tgt` to fail with EACCES before cached credentials are tried, resulting in a ~2 minute login delay when DNS is unavailable at boot - **logon_script**: check DNS resolution of the IPA server at startup; if it fails, prompt the user to retry, continue anyway, or quit — makes network/DNS problems immediately visible instead of failing silently later ## Test plan - [x] Boot with network available — DNS check passes silently, no change in behaviour - [x] Boot with DNS failing — login prompt shows warning with retry/continue/quit options - [x] Boot with network slow/DNS temporarily unavailable — SSSD falls back to cached credentials immediately instead of blocking for ~2 minutes
unbrot added 4 commits 2026-05-07 12:26:17 +02:00
kickstarter: Include ocular in packages 9b4d68ca72
kickstart: cinnamon - Okular is kde only, use evince on cinnamon 3906d19a4f
sync_client_software: patch sssd.conf to add krb5_validate = False f59ba70bb9 
SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in
offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab
before the cached-credential fallback is reached. Adding krb5_validate =
False disables the keytab validation step and restores reliable offline
authentication for FreeIPA domain users.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
logon_script: check DNS resolution before proceeding 253030228f 
If the IPA server FQDN cannot be resolved at startup (e.g. due to a
DNSSEC outage or network not yet ready), the logon script would silently
fail later. The new check prompts the user to retry, continue anyway, or
quit, so the problem is immediately visible.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
obel1x merged commit 113bcc9a5d into main 2026-05-07 12:46:16 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
obel1x (Daniel Pätzold)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: obel1x/fedora-OEMDRV#28
Delete Branch "unbrot/fedora-OEMDRV:main"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?