Bug 2069899

Summary: anaconda enablement of fingerprint auth overrides existing authselect configuration
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: anacondaAssignee: Vendula Poncova <vponcova>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint-list, jonathan, kellin, kparal, robatino, vanmeeuwen+fedora, vponcova, w
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: anaconda-36.16.4-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-05 14:21:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953785    

Description Adam Williamson 2022-03-30 01:47:48 UTC 
If anaconda decides to enable fingerprint authentication during installation, it uses `authselect select`, not `authselect enable`. This overwrites the entire config, overriding existing choices.

A specific problem here is that if `nss-mdns` is in the installed package set, during the package install transaction, its %posttrans runs `authselect enable-feature with-mdns4` to enable mdns lookups. But if anaconda then decides to enable fingerprint authentication, it runs `authselect select sssd with-fingerprint with-silent-lastlog --force`, which turns mdns lookups off again. See discussion in https://bugzilla.redhat.com/show_bug.cgi?id=2056927 .

It looks to me like this is kind of a hangover from a time when we expected anaconda to always run authconfig/authselect and set a default config, but it no longer does that; AFAICT, the 'expected' setting of the default config happens in the %posttrans of authselect-libs:

# If we are upgrading from pre authselect-1.3.0 or this is a new installation
# select the default configuration.
if [ -f /var/lib/rpm-state/authselect.force ]; then
    /usr/bin/authselect select sssd with-silent-lastlog --force $NOBACKUP &> /dev/null
    /usr/bin/rm -f /var/lib/rpm-state/authselect.force
fi

(there's earlier logic which creates `/var/lib/rpm-state/authselect.force` if this is a frehs install). anaconda these days is overall designed to not necessarily run authselect at all (only if the kickstart specifies it)...but if it decides to enable fingerprint authentication, it does this.

So I think it may be OK to change anaconda to do `authselect enable-feature with-fingerprint` instead, which should I think preserve any existing config set by authselect and nss-mdns during the package install transaction...
Comment 1 Adam Williamson 2022-03-30 01:49:01 UTC 
Proposing as a Final blocker for the same reason as 2056927: if this isn't fixed, fresh Rawhide installs won't be able to use mdns features, including printer discovery. "Printing must work in release-blocking desktops on at least one printer using each of the following drivers: ... The generic IPP driver".
Comment 2 Vendula Poncova 2022-03-30 13:14:55 UTC 
Fixed at: https://github.com/rhinstaller/anaconda/pull/3991
Comment 3 Adam Williamson 2022-03-30 22:08:07 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/697 , marking accepted.
Comment 4 Fedora Update System 2022-03-31 18:34:00 UTC 
FEDORA-2022-8538fa94da has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8538fa94da
Comment 5 Fedora Update System 2022-04-01 23:23:09 UTC 
FEDORA-2022-8538fa94da has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8538fa94da`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8538fa94da

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2022-04-05 00:16:29 UTC 
FEDORA-2022-8538fa94da has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 7 Kamil Páral 2022-04-05 07:04:55 UTC 
This needs verification with a new compose.
Comment 8 Kamil Páral 2022-04-05 13:18:46 UTC 
Tested with Fedora-Everything-netinst-x86_64-36-20220405.n.0.iso and the issue is fixed. But I'll wait until Workstation Live is available, so that I can test it too, just to make sure.
Comment 9 Kamil Páral 2022-04-05 14:21:59 UTC 
Verified fixed even with Fedora-Workstation-Live-x86_64-36-20220405.n.0.iso