Bug 1260875

Summary: Cannot log in as root after install of recent Fedora 23 images
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: anacondaAssignee: David Shea <dshea>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 23CC: anaconda-maint-list, awilliam, fedora, g.kaviyarasu, jonathan, kzak, lnie, mfabian, nicolas.mailhot, pbrobinson, pnemade, robatino, rshendershot, satellitgo, sgallagh, vanmeeuwen+fedora, vpodzime
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: AcceptedBlocker
Fixed In Version: 23.19.4-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-16 18:36:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1170819    
Attachments:
Description Flags
anaconda.log
none
program.log
none
journal.log
none
dnf.log
none
dnf.rpm.log none

Description Adam Williamson 2015-09-08 06:43:46 UTC 
In the 2015-09-07 nightly Fedora 23 images, and also 23 Beta TC4, after fresh install of the system you cannot log in as root. This is not an SELinux issue, at least not obviously: it still occurs if you boot with 'enforcing=0' or 'selinux=0'.

You can log in as a regular user created during install, but you cannot 'su' to root from that user account.

This is pretty mysterious for now, I'm going to look into it more tomorrow. Really not sure what's going wrong. There's no screamingly obvious smoking gun in the 2015-09-07 changes, but this definitely seems to have started breaking in the 2015-09-07 tests in openQA (2015-09-06 tests passed).

One thing I see is these messages in the logs after trying to su:

pam_unix(su:auth): authentication failure; logname=test uid=1000 euid=0 tty=tty1 ruser=test rhost= user=root
pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "root"

Component is kind of a guess for now.
Comment 1 Adam Williamson 2015-09-08 06:58:15 UTC 
Proposing as a Beta blocker. Not being able to access root has an impact on various criteria, let's say "The default system init daemon (e.g. systemd) must be capable of starting, stopping, enabling and disabling correctly-defined services." - can't do that without root. https://fedoraproject.org/wiki/Fedora_23_Alpha_Release_Criteria#System_service_manipulation
Comment 2 Jens Lody 2015-09-08 08:45:01 UTC 
I just tested it with the workstation live cd:
using the live medium works fine, but installing on hdd is broken as Adam has described.
I booted into the VM with the live cd and mounted the "real" hdd.
A look into /etc/shadow showed an asterisk ("*") instead of a password-hash for root.
I was able to set the passwd from commandline after chrooting into the installed system.
After a reboot login as root works as expected.
Comment 3 Jens Lody 2015-09-08 08:49:12 UTC 
I don't know, if this might be related or not: this was with a weak password where I have to click continue twice (in the installer).
Comment 4 Karel Zak 2015-09-08 10:48:25 UTC 
It seems like some trivial anaconda/setup problem with /etc/shadow initialization.
Comment 5 Stephen Gallagher 2015-09-08 13:21:09 UTC 
+1 beta blocker.

I reproduced this on the Server Beta TC4 media just now. I entered a complex password for root in Anaconda (so no double-click to continue).

My guess is that this is fallout from the password-policy changes, but I can't confirm that yet.
Comment 6 David Shea 2015-09-08 14:40:46 UTC 
Logs, please
Comment 7 Adam Williamson 2015-09-08 16:09:59 UTC 
Created attachment 1071402 [details]
anaconda.log
Comment 8 Adam Williamson 2015-09-08 16:10:16 UTC 
Created attachment 1071403 [details]
program.log
Comment 9 Adam Williamson 2015-09-08 16:10:35 UTC 
Created attachment 1071404 [details]
journal.log
Comment 10 Adam Williamson 2015-09-08 16:11:13 UTC 
Created attachment 1071405 [details]
dnf.log
Comment 11 Adam Williamson 2015-09-08 16:11:33 UTC 
Created attachment 1071406 [details]
dnf.rpm.log
Comment 12 David Shea 2015-09-08 16:55:02 UTC 
*** Bug 1260415 has been marked as a duplicate of this bug. ***
Comment 13 Adam Williamson 2015-09-08 16:57:08 UTC 
sgallagh and I think we have a diagnosis and a fix now, just testing it.
Comment 14 Adam Williamson 2015-09-08 17:05:12 UTC 
https://github.com/rhinstaller/anaconda/pull/351
Comment 15 Adam Williamson 2015-09-08 17:07:12 UTC 
https://www.happyassassin.net/updates/1260875.0.img is an updates.img with the proposed fix for this, if anyone else wants to test.
Comment 16 David Shea 2015-09-10 13:47:40 UTC 
*** Bug 1261803 has been marked as a duplicate of this bug. ***
Comment 17 Adam Williamson 2015-09-10 19:16:38 UTC 
Discussed at 2015-09-10 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-10/f23-blocker-review.2015-09-10-16.00.log.txt . Accepted as a beta per criterion "It must be possible to log in to the default Cockpit instance" (with a typical install, the only user who's allowed to login to cockpit is root, so we went with that criterion).
Comment 18 Fedora Update System 2015-09-10 20:27:57 UTC 
python-blivet-1.12.3-1.fc23 anaconda-23.19.3-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15562
Comment 19 Fedora Update System 2015-09-11 03:49:19 UTC 
anaconda-23.19.3-1.fc23, python-blivet-1.12.3-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update anaconda python-blivet'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15562
Comment 20 David Shea 2015-09-11 13:37:07 UTC 
*** Bug 1262361 has been marked as a duplicate of this bug. ***
Comment 21 Fedora Update System 2015-09-14 17:22:10 UTC 
python-blivet-1.12.4-1.fc23 anaconda-23.19.4-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15846
Comment 22 Fedora Update System 2015-09-15 16:50:56 UTC 
anaconda-23.19.4-1.fc23, python-blivet-1.12.4-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update anaconda python-blivet'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15846
Comment 23 Adam Williamson 2015-09-16 01:51:07 UTC 
Verified in openQA testing.
Comment 24 Fedora Update System 2015-09-16 18:35:47 UTC 
anaconda-23.19.4-1.fc23, python-blivet-1.12.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.