GoogleCloudPlatform / guest-agent

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

oslogin /etc/nsswitch.conf changes conflict with RHEL 8 authselect.

natedogith1 opened this issue · comments

Adding cache_oslogin and oslogin to /etc/nsswitch.conf causes issues with authselect on RHEL 8. authselect to gives this message when attempting to apply changes:

$ sudo authselect apply-changes
[error] [/etc/authselect/nsswitch.conf] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Some unexpected changes to the configuration were detected. Use 'select' command instead.

This can be worked around by creating a custom authselect profile and configuring its nsswitch to already have " cache_oslogin oslogin" on the passwd and group lines.

Thanks for your report. The OS Login configuration generated by the guest agent is intended to be used on Google public images, and OS Login is not supported in any configuration other than the one we provide. So the behavior you're reporting is working as intended - we don't support nor recommend making any changes to your auth or resolution configuration when using OS Login, as we only test it as shipped.

authselect is pre-installed on the RHEL 8 public image, so I would expect it to be supported. This is preventing security features from being enabled like authselect enable-feature with-faillock.

Although authselect is installed, we do not support OS Login with any configuration other than what we have shipped. This applies equally to editing configuration files directly or using a tool.