Bug 1734302

Summary:	authselect cannot validate its own files
Product:	Red Hat Enterprise Linux 8	Reporter:	Pavel Březina <pbrezina>
Component:	authselect	Assignee:	Pavel Březina <pbrezina>
Status:	CLOSED ERRATA	QA Contact:	Steeve Goveas <sgoveas>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.0	CC:	aborah, dlavu, extras-qa, jhrozek, jss, pbrezina
Target Milestone:	rc	Keywords:	Reopened
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	authselect-1.1-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1697267	Environment:
Last Closed:	2019-11-05 22:33:32 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1697267
Bug Blocks:

Description Pavel Březina 2019-07-30 08:14:00 UTC

+++ This bug was initially created as a clone of Bug #1697267 +++

Description of problem:
Sometimes I can see failures when enabling/disabling features.
Even though there were not any manual changes to files.

e.g.
sh$ authselect enable-feature with-mkhomedir'
[error] [/etc/authselect/postlogin] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists

sh$ authselect enable-feature with-mkhomedir'
[error] [/etc/authselect/dconf-locks] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists

Version-Release number of selected component (if applicable):
authselect-1.0.3-1.fc30.x86_64

How reproducible:
I do not have deterministic reproducer.
Just run tests many times.

Additional info:
sh-5.0# authselect check
[error] [/etc/authselect/postlogin] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.

sh-5.0# diff -i /etc/authselect/postlogin /var/lib/authselect/postlogin
1c1
< # Generated by authselect on Sat Apr  6 17:02:02 2019
---
> # Generated by authselect on Sat Apr  6 17:02:01 2019



sh-5.0# authselect check
[error] [/etc/authselect/postlogin] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.
sh-5.0# 
sh-5.0# diff /etc/authselect/postlogin /var/lib/authselect/postlogin
1c1
< # Generated by authselect on Sat Apr  6 17:02:02 2019
---
> # Generated by authselect on Sat Apr  6 17:02:01 2019

--- Additional comment from Pavel Březina on 2019-04-10 09:30:48 UTC ---

Thank you. I will try to reproduce it.

--- Additional comment from Pavel Březina on 2019-04-11 10:13:53 UTC ---

Upstream ticket:
https://github.com/pbrezina/authselect/issues/146

--- Additional comment from Pavel Březina on 2019-04-25 08:42:28 UTC ---

Steps to reproduce:

$ sudo gdb -quiet authselect -ex 'set breakpoint pending on' -ex 'b src/lib/files/system.c:428' -ex 'run select sssd --force' -ex 'shell sleep 1' -ex 'detach' -ex 'quit'
$ sudo authselect check
[error] [/dev/shm/authselect-install/etc/authselect/system-auth] has unexpected content!
Current configuration is not valid. It was probably modified outside authselect.

--- Additional comment from Ben Cotton on 2019-05-02 19:39:15 UTC ---

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

--- Additional comment from Ben Cotton on 2019-05-28 23:57:06 UTC ---

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--- Additional comment from Fedora Update System on 2019-06-13 09:55:44 UTC ---

FEDORA-2019-84659dbcb4 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-84659dbcb4

--- Additional comment from Fedora Update System on 2019-06-14 02:12:31 UTC ---

authselect-1.0.4-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-84659dbcb4

--- Additional comment from John on 2019-07-24 06:26:12 UTC ---


YOU SEE WHAT HAPPENS WHEN YOU REFUSE TO FIX A PROBLEM PROPERLY IN FEDORA?

IT ENDS UP IN YOUR "Enterprise" OS, EL8:

    [error] [/etc/authselect/password-auth] has unexpected content!
    [error] Unexpected changes to the configuration were detected.
    [error] Refusing to activate profile unless those changes are removed or overwrite is requested.

I very much doubt /etc/authselect/password-auth has been modified by *ANYTHING* besides authselect, as it doesn't look like something systemd would bother with.

Just ridiculous.

authselect-1.0-13.el8

--- Additional comment from John on 2019-07-24 06:33:58 UTC ---


# cat /etc/authselect/password-auth
# Generated by authselect on Wed Jul 24 16:14:19 2019
...

And look at this:

#stat  /etc/authselect/password-auth
  File: /etc/authselect/password-auth
  Size: 2062            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 6293724     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2019-07-24 16:16:04.383700066 +1000
Modify: 2019-07-24 16:14:19.001835541 +1000
Change: 2019-07-24 16:14:19.069836099 +1000

File has not been modified since authselect generated it.



authselect cannot validate its own files

FIX IT.

--- Additional comment from Fedora Update System on 2019-07-30 01:45:14 UTC ---

authselect-1.0.4-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 2 Dan Lavu 2019-09-04 12:11:33 UTC

Verified against sssd-2.2.0-16.el8.x86_64

[root@kvm-08-guest27 ~]# realm join sssdad2012r2.com
Password for Administrator: 

[root@kvm-08-guest27 ~]# service sssd restart
Redirecting to /bin/systemctl restart sssd.service

[root@kvm-08-guest27 ~]# sudo gdb -quiet authselect -ex 'set breakpoint pending on' -ex 'b src/lib/files/system.c:428' -ex 'run select sssd --force' -ex 'shell sleep 1' -ex 'detach' -ex 'quit'
Reading symbols from authselect...Reading symbols from .gnu_debugdata for /usr/bin/authselect...(no debugging symbols found)...done.
(no debugging symbols found)...done.
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (src/lib/files/system.c:428) pending.
Starting program: /usr/bin/authselect select sssd --force
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
warning: Loadable section ".note.gnu.property" outside of ELF segments
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[Detaching after fork from child process 7748]
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[Inferior 1 (process 7744) exited normally]
The program is not being run.

[root@kvm-08-guest27 ~]# authselect check
Current configuration is valid.

Comment 4 errata-xmlrpc 2019-11-05 22:33:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3647