Bug 1825829

Summary: ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: cheimes, ksiddiqu, pcech, rcritten, tscherf
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.8-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:59:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1822123    
Attachments:
Description Flags
report.html none

Description Mohammad Rizwan 2020-04-20 10:51:11 UTC 
Description of problem:
ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3

As a result, if client machine does not have python3 installed, it gives error like:

/root/config-client-for-smart-card-auth.sh: line 90: python3: command not found

Version-Release number of selected component (if applicable):
ipa-server-4.6.8-2.el7.x86_64

How reproducible:
always.

Steps to Reproduce:
1. Install RHEL7.8 IPA server and configure to user smart card
2. Install RHEL8 client against RHEL7 server and configure to user smart card[1]
3. The bash script should run successfully on RHEL8 client 


[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/configuring-idm-for-smart-card-auth_configuring-and-managing-idm

Actual results:
/root/config-client-for-smart-card-auth.sh: line 90: python3: command not found

Expected results:
No error

Additional info:
https://github.com/freeipa/freeipa/blob/ipa-4-6/ipaserver/advise/plugins/smart_card_auth.py#L353
Comment 2 Mohammad Rizwan 2020-04-20 11:04:42 UTC 
Correction in step1.

1. Install RHEL7.9 IPA server and configure to user smart card
Comment 4 Florence Blanc-Renaud 2020-04-21 12:52:27 UTC 
The script should be able to run without issue on rhel7, rhel8, or any fedora version.
- on rhel7, there is no /usr/bin/authselect, meaning the line with python3 -c ... doesn't get called -> OK
- on fedora without authselect, the line doesn't get called -> OK
- on fedora28+ with authselect, ipa-4-7 is used and this version enforces python3 -> OK
- on rhel8, python3 should not be used and /usr/libexec/platform-python should be used instead
Comment 5 Florence Blanc-Renaud 2020-05-05 08:04:49 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8311
Comment 6 Christian Heimes 2020-05-05 09:50:35 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/edcfba6010c0b6a81841ca6e1e478835ce76191b
Comment 7 Christian Heimes 2020-05-05 17:13:15 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/787ce4555a203bd3f31c1f6cc577855f779fe6cf
ipa-4-6:
https://pagure.io/freeipa/c/3754f686d1ac609b98c35e8c2aa9f0450b08287e
Comment 10 Mohammad Rizwan 2020-05-18 12:43:01 UTC 
Created attachment 1689580 [details]
report.html
Comment 11 Mohammad Rizwan 2020-05-18 12:43:50 UTC 
Automation passed. Hence marking the bug as verified.
Comment 13 errata-xmlrpc 2020-09-29 19:59:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936