From 9b4d68ca723f0e7a6cd91bf6c7f574c4d64acc4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 6 May 2026 17:14:08 +0200 Subject: [PATCH 1/4] kickstarter: Include ocular in packages --- ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg | 3 +-- ks_base_profiles/fedora_44_kde_fullsetup.cfg | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg b/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg index ad99318..f1d53c8 100644 --- a/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg +++ b/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg @@ -30,14 +30,13 @@ timezone Europe/Berlin --utc @libreoffice @office @sound-and-video +okular libva-utils libavcodec-freeworld mesa-va-drivers-freeworld ffmpeg @vlc python-vlc -#@development-tools -#@editors @firefox thunderbird openssh-server diff --git a/ks_base_profiles/fedora_44_kde_fullsetup.cfg b/ks_base_profiles/fedora_44_kde_fullsetup.cfg index 1afa0d7..9bf8fe0 100644 --- a/ks_base_profiles/fedora_44_kde_fullsetup.cfg +++ b/ks_base_profiles/fedora_44_kde_fullsetup.cfg @@ -30,6 +30,7 @@ mount -L OEMDRV /mnt/anaconda_pre @libreoffice @office @sound-and-video +okular libva-utils libavcodec-freeworld mesa-va-drivers-freeworld -- 2.52.0 From 3906d19a4fed554cfe362d95851d5be253a26555 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Wed, 6 May 2026 17:38:37 +0200 Subject: [PATCH 2/4] kickstart: cinnamon - Okular is kde only, use evince on cinnamon --- ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg b/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg index f1d53c8..4d32d42 100644 --- a/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg +++ b/ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg @@ -30,7 +30,9 @@ timezone Europe/Berlin --utc @libreoffice @office @sound-and-video -okular +#Okular is kde only, use evince on cinnamon +#okular +evince libva-utils libavcodec-freeworld mesa-va-drivers-freeworld -- 2.52.0 From f59ba70bb98766bb80f8166fe5e99a20f1c058a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 09:49:51 +0200 Subject: [PATCH 3/4] sync_client_software: patch sssd.conf to add krb5_validate = False SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab before the cached-credential fallback is reached. Adding krb5_validate = False disables the keytab validation step and restores reliable offline authentication for FreeIPA domain users. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/sync_client_software.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh index 7a44ed1..098c2df 100755 --- a/system_setup/sync_client_software.sh +++ b/system_setup/sync_client_software.sh @@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then echo "Press any key to continue" && read -n 1 -s -r && exit 1 fi +# Ensure krb5_validate = False in sssd.conf to restore offline auth +# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt +# fails with EACCES before the cached-credential fallback is reached) +_SSSD_CONF="/etc/sssd/sssd.conf" +if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then + echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication" + sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}" + systemctl restart sssd +fi + #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script." -- 2.52.0 From 253030228f7cb1b9b0f3ca4120bc01152678c499 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 10:11:10 +0200 Subject: [PATCH 4/4] logon_script: check DNS resolution before proceeding If the IPA server FQDN cannot be resolved at startup (e.g. due to a DNSSEC outage or network not yet ready), the logon script would silently fail later. The new check prompts the user to retry, continue anyway, or quit, so the problem is immediately visible. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/logon_script.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh index 1e2a651..26697ad 100755 --- a/system_setup/logon_script.sh +++ b/system_setup/logon_script.sh @@ -17,6 +17,23 @@ if [ "$EUID" -eq 0 ]; then echo "Press any key to continue" && read -n 1 -s -r && exit 1 fi +# Check DNS resolution before proceeding - logon depends on IPA and Nextcloud being reachable +_dns_target="${SERVERFQDN_IPA}" +while ! getent hosts "${_dns_target}" >/dev/null 2>&1; do + elog_add "Warning: DNS resolution failed for ${_dns_target} - network or DNS not ready." + echo "" + echo "Warning: DNS resolution failed for ${_dns_target}." + echo "Please check your network connection and DNS settings before continuing." + echo "" + printf " [R]etry [C]ontinue anyway [Q]uit: " + read -r _dns_choice + case "${_dns_choice}" in + [Cc]) elog_add "Continuing despite DNS failure (user choice)."; break ;; + [Qq]) elog_add "Script aborted by user due to DNS failure."; exit 1 ;; + *) elog_add "Retrying DNS check for ${_dns_target}..." ;; + esac +done + #Check for needed python-modules #For WEBDAV python -c "import webdav3">/dev/null 2>&1 -- 2.52.0