logon_script: check DNS resolution before proceeding

If the IPA server FQDN cannot be resolved at startup (e.g. due to a
DNSSEC outage or network not yet ready), the logon script would silently
fail later. The new check prompts the user to retry, continue anyway, or
quit, so the problem is immediately visible.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ks_base_profiles/fedora_44_cinnamon_fullsetup.cfg

@@ -30,14 +30,15 @@ timezone Europe/Berlin --utc
 @libreoffice
 @office
 @sound-and-video
+#Okular is kde only, use evince on cinnamon
+#okular
+evince
 libva-utils
 libavcodec-freeworld
 mesa-va-drivers-freeworld
 ffmpeg
 @vlc
 python-vlc
-#@development-tools
-#@editors
 @firefox
 thunderbird
 openssh-server

ks_base_profiles/fedora_44_kde_fullsetup.cfg

@@ -30,6 +30,7 @@ mount -L OEMDRV /mnt/anaconda_pre
 @libreoffice
 @office
 @sound-and-video
+okular
 libva-utils
 libavcodec-freeworld
 mesa-va-drivers-freeworld

system_setup/logon_script.sh

@@ -17,6 +17,23 @@ if [ "$EUID" -eq 0 ]; then
     echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
+# Check DNS resolution before proceeding - logon depends on IPA and Nextcloud being reachable
+_dns_target="${SERVERFQDN_IPA}"
+while ! getent hosts "${_dns_target}" >/dev/null 2>&1; do
+    elog_add "Warning: DNS resolution failed for ${_dns_target} - network or DNS not ready."
+    echo ""
+    echo "Warning: DNS resolution failed for ${_dns_target}."
+    echo "Please check your network connection and DNS settings before continuing."
+    echo ""
+    printf "  [R]etry  [C]ontinue anyway  [Q]uit: "
+    read -r _dns_choice
+    case "${_dns_choice}" in
+        [Cc]) elog_add "Continuing despite DNS failure (user choice)."; break ;;
+        [Qq]) elog_add "Script aborted by user due to DNS failure."; exit 1 ;;
+        *) elog_add "Retrying DNS check for ${_dns_target}..." ;;
+    esac
+done
+
 #Check for needed python-modules
 #For WEBDAV
 python -c "import webdav3">/dev/null 2>&1

system_setup/sync_client_software.sh

@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
     echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
+# Ensure krb5_validate = False in sssd.conf to restore offline auth
+# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
+#  fails with EACCES before the cached-credential fallback is reached)
+_SSSD_CONF="/etc/sssd/sssd.conf"
+if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
+    echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
+    sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
+    systemctl restart sssd
+fi
+
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
     echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."