Bug 1755535

Summary: ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
Product: Red Hat Enterprise Linux 7 Reporter: Sebastien Aime <saime>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: frenaud, myusuf, pasik, pcech, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.6-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1788833    

Description Sebastien Aime 2019-09-25 16:01:16 UTC 
In order to configure a RHEL8 IdM client for smartcard authentication, one has to run ipa-advise on the IdM server to generate a configuration script [1].

If the IdM server runs on RHEL7, then this script is not suitable to configure a RHEL8 IdM client.

--- references ---
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/configuring-idm-for-smart-card-auth_managing-hosts-cli#conf-idm-client-for-smart-card-auth_configuring-idm-for-smart-card-auth
Comment 2 Florence Blanc-Renaud 2019-09-26 13:31:37 UTC 
The differences between RHEL 7 and RHEL 8 clients are related to authconfig vs authselect (RHEL7 clients use authconfig while RHEL8 clients use authselect).
For instance on a RHEL 7 client the generated script runs the following command:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall

While on a RHEL8 client the generated script runs the following command:
authselect enable-feature with-smartcard
+ modifies /etc/sssd/sssd.conf to add "pam_cert_auth = True" in the [pam] section.

The generated script could be enhanced to detect whether authselect is available and call the right code.
Comment 3 Florence Blanc-Renaud 2019-11-05 15:57:58 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8113
Comment 4 Florence Blanc-Renaud 2019-11-08 11:59:21 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/87c24ebd34d4524b73d878f1298232547cafc5ba
Comment 5 Florence Blanc-Renaud 2019-11-12 07:10:22 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/d9d9abbab2388dba92ea07cad33b6cc59c3caa20

ipa-4-7:
https://pagure.io/freeipa/c/134c6bd1243329ec41f7a6648e78af57955bc6a6

ipa-4-6:
https://pagure.io/freeipa/c/7a19c0d730ae3d16a9763f4769a37bf19680622a
Comment 6 Florence Blanc-Renaud 2020-01-28 09:53:50 UTC 
RHEL-7.8 is already near the end of a Development Phase and development is being wrapped up. This bug is being moved to RHEL 7.9.
If you believe this particular bug should be reconsidered for 7.8, please let us know.
Comment 8 Florence Blanc-Renaud 2020-03-19 07:37:16 UTC 
Hi Rizwan,
yes, your steps from #c7 are correct. Without the fix, the bash script would exit on error with return code = 1 and print "Failed to configure Smart Card authentication in SSSD". With the fix the bash script exits with return code = 0 and does not print the error message.
Comment 9 Mohammad Rizwan 2020-03-19 10:01:09 UTC 
old version:
ipa-server-4.6.6-11.el7.x86_64 (rhel7.8)
ipa-client-4.8.4-6.module+el8.2.0+5774+71f22ff9.x86_64 (rhel8.2)

Steps:
1. Install rhel7.8 server and configure to use smartcard
2. Install rhel8.2 client against rhel7.8 server and configure to use smartcard
3. Run the client script generated at server on client.

Actual result:
~~~~~~~
Server:
~~~~~~~
[root@master ~]# ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
[root@master ~]# scp config-server-for-smart-card-auth.sh root.test:/root/

[root@master ~]# ipa-advise config-client-for-smart-card-auth > config-client-for-smart-card-auth.sh
[root@master ~]# scp config-client-for-smart-card-auth.sh root.test:/root/

[root@master ~]# scp /etc/ipa/ca.crt root.test:/root/


~~~~~~~
Client:
~~~~~~~

[root@client ~]# chmod +x  config-client-for-smart-card-auth.sh 
[root@client ~]# ./config-client-for-smart-card-auth.sh ca.crt
[...]
Traceback (most recent call last):
  File "/usr/sbin/authconfig", line 656, in <module>
    main()
  File "/usr/sbin/authconfig", line 645, in main
    authcompat.runAuthselect()
  File "/usr/sbin/authconfig", line 562, in runAuthselect
    features.remove("with-smartcard-lock-on-removal")
ValueError: list.remove(x): x not in list
Failed to configure Smart Card authentication in SSSD
Comment 13 Mohammad Rizwan 2020-04-06 10:56:28 UTC 
Automation passed. Logs are attached.
Comment 15 errata-xmlrpc 2020-09-29 19:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936