Bug 2066535

Summary:	Error restoring authselect backup
Product:	Red Hat Enterprise Linux 8	Reporter:	Sunny Wu <suwu>
Component:	authselect	Assignee:	Pavel Březina <pbrezina>
Status:	CLOSED ERRATA	QA Contact:	Dan Lavu <dlavu>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.5	CC:	dlavu, lmiksik, pbrezina, pmcdaid, sgadekar
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	authselect-1.2.5-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2070541 (view as bug list)		Environment:
Last Closed:	2022-11-08 10:51:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2070541

Description Sunny Wu 2022-03-22 02:06:52 UTC

Description of problem:
Error after restoring authselect backup.

Steps to Reproduce:

0. Status check
# authselect check
Current configuration is valid.

# authselect current
Profile ID: sssd
Enabled features: None

1. Backup original policy
# authselect apply-changes -b --backup=sssd.original
Backup stored at /var/lib/authselect/backups/sssd.original
Changes were successfully applied.

2. Create new policy: my-sssd 
# authselect create-profile my-sssd -b sssd
New profile was created at /etc/authselect/custom/my-sssd

3. Select new policy
# authselect select custom/my-sssd
Profile "custom/my-sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

4. Add feature: with-mkhomedir
# authselect enable-feature with-mkhomedir
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

5. Apply changes:
# authselect apply-changes
Changes were successfully applied.

6. Verify that changes are good:
# authselect check
Current configuration is valid.

# authselect current
Profile ID: custom/my-sssd
Enabled features:
- with-mkhomedir

7. Now list backups:
# authselect backup-list
sssd.original (created at Mon 21 Mar 2022 21:48:42 EDT)

8. Restore the backup: sssd.original
# authselect backup-restore sssd.original

9. Apply changes:  - This is where the ERROR occurs:
# authselect apply-changes
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/password-auth] has unexpected content!
[error] [/etc/authselect/fingerprint-auth] has unexpected content!
[error] [/etc/authselect/smartcard-auth] has unexpected content!
[error] [/etc/authselect/postlogin] has unexpected content!
[error] [/etc/authselect/nsswitch.conf] has unexpected content!
[error] [/etc/authselect/dconf-db] has unexpected content!
[error] [/etc/authselect/dconf-locks] has unexpected content!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Some unexpected changes to the configuration were detected. Use 'select' command instead.

9. Run authselect check --trace
# authselect check --trace
[info] Looking up profile [sssd]
[info] Profile [sssd] is a default profile
[info] Profile [sssd] found at [/usr/share/authselect/default/sssd]
[info] Reading file [/usr/share/authselect/default/sssd/README]
[info] Reading file [/usr/share/authselect/default/sssd/REQUIREMENTS]
[info] Reading file [/usr/share/authselect/default/sssd/system-auth]
[info] Reading file [/usr/share/authselect/default/sssd/password-auth]
[info] Reading file [/usr/share/authselect/default/sssd/smartcard-auth]
[info] Reading file [/usr/share/authselect/default/sssd/fingerprint-auth]
[info] Reading file [/usr/share/authselect/default/sssd/postlogin]
[info] Reading file [/usr/share/authselect/default/sssd/nsswitch.conf]
[info] Reading file [/usr/share/authselect/default/sssd/dconf-db]
[info] Reading file [/usr/share/authselect/default/sssd/dconf-locks]
[info] Validating file [/etc/authselect/system-auth]
[info] Comparing content against [/var/lib/authselect/system-auth]
[error] [/etc/authselect/system-auth] has unexpected content!
[info] Validating file [/etc/authselect/password-auth]
[info] Comparing content against [/var/lib/authselect/password-auth]
[error] [/etc/authselect/password-auth] has unexpected content!
[info] Validating file [/etc/authselect/fingerprint-auth]
[info] Comparing content against [/var/lib/authselect/fingerprint-auth]
[error] [/etc/authselect/fingerprint-auth] has unexpected content!
[info] Validating file [/etc/authselect/smartcard-auth]
[info] Comparing content against [/var/lib/authselect/smartcard-auth]
[error] [/etc/authselect/smartcard-auth] has unexpected content!
[info] Validating file [/etc/authselect/postlogin]
[info] Comparing content against [/var/lib/authselect/postlogin]
[error] [/etc/authselect/postlogin] has unexpected content!
[info] Validating file [/etc/authselect/nsswitch.conf]
[info] Comparing content against [/var/lib/authselect/nsswitch.conf]
[error] [/etc/authselect/nsswitch.conf] has unexpected content!
[info] Validating file [/etc/authselect/dconf-db]
[info] Comparing content against [/var/lib/authselect/dconf-db]
[error] [/etc/authselect/dconf-db] has unexpected content!
[info] Validating file [/etc/authselect/dconf-locks]
[info] Comparing content against [/var/lib/authselect/dconf-locks]
[error] [/etc/authselect/dconf-locks] has unexpected content!
[info] Validating link [/etc/pam.d/system-auth]
[info] Validating link [/etc/pam.d/password-auth]
[info] Validating link [/etc/pam.d/fingerprint-auth]
[info] Validating link [/etc/pam.d/smartcard-auth]
[info] Validating link [/etc/pam.d/postlogin]
[info] Validating link [/etc/nsswitch.conf]
[info] Validating link [/etc/dconf/db/distro.d/20-authselect]
[info] Validating link [/etc/dconf/db/distro.d/locks/20-authselect]
Current configuration is not valid. It was probably modified outside authselect.

---

No file has been modified manually.

Version-Release number of selected component (if applicable):

# rpm -qa | grep authselect
authselect-1.2.2-3.el8.x86_64
authselect-compat-1.2.2-3.el8.x86_64
authselect-libs-1.2.2-3.el8.x86_64

How reproducible:
Always


Actual results:
Error returned after restoring authselect backup


Expected results:
authselect should not return any error after restoring backup

Additional info:

Comment 1 Paul McDaid 2022-03-23 10:37:05 UTC

Running "authselect check -trace"

shows that the files in /etc/authselect/ are not the same as /var/lib/authselect (e.g. system-auth password-auth etc)

The /etc/authselect files are correct. the /var/lib/authselect files are the old profile.

I wrote a bash script to copy all of the /etc/authselect file to /var/lib/authselect and this is a workaround to the issue:

#
# workaroundBugInRHEL8AuthselectBackupRestore
#
#    Currently there is a bug in RHEL8 "authselect backup-restore" where the 
#    auth files are copied correctly to /etc/authselect dir. But are not copied
#    to /var/lib/authselect dir. When "authselect apply-changes" is invoked 
#    after "authselect backup-restore" it fails as all the auth files are 
#    not match between /etc/authselect and /var/lib/authselect.
#    The workaround is to copy all the auth files from /etc/authselect to 
#    /var/lib/authselect 
# 
function workaroundBugInRHEL8AuthselectBackupRestore() {
	echo "workaroundBugInRHEL8AuthselectBackupRestore started"
	for AUTHFILE in system-auth password-auth fingerprint-auth smartcard-auth postlogin nsswitch.conf dconf-db dconf-locks
	do
		diff /etc/authselect/$AUTHFILE /var/lib/authselect/$AUTHFILE > /dev/null 2>&1
		if [ $? -ne 0 ] ; then
			echo "/etc/authselect/$AUTHFILE differs from /var/lib/authselect/$AUTHFILE. Copy /etc/ file to /var dir" 
			\cp -f /etc/authselect/$AUTHFILE /var/lib/authselect/$AUTHFILE
		fi
	done
	echo "Call authselect apply-changes"
	authselect apply-changes
	echo "workaroundBugInRHEL8AuthselectBackupRestore finished"
}

workaroundBugInRHEL8AuthselectBackupRestore

Comment 2 Pavel Březina 2022-03-25 11:22:57 UTC

Thank you for the bug report. Can you please attach contents of the backup? I.e. `tar -cvzf backup.tgz /var/lib/authselect/backups/sssd.original`?

Comment 12 Paul McDaid 2022-04-26 08:33:31 UTC

A test rpm (authselect, authselect-compat and authselect-libs) was provided by RedHat. I have verified that this patch resolves the issue. RedHat have commented that this fix will be delivered in RHEL 8.7.

Comment 21 errata-xmlrpc 2022-11-08 10:51:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (authselect bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7738