Bug 2074653

Summary: Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default [rhel-8.6.0.z]
Product: Red Hat Enterprise Linux 8 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: high Docs Contact:
Priority: urgent    
Version: 8.7CC: aboscatt, briasmit, djez, jharuda, jstephen, lmiksik, nhosoi, pkettman, rhel-cs-system-management-subsystem-qe, spetrosi, spoore, toneata
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: role:tlog
Fixed In Version: rhel-system-roles-1.16.2-1.el8_6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2072749 Environment:
Last Closed: 2022-05-10 17:14:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2072749    
Bug Blocks:    

Comment 12 Scott Poore 2022-04-22 13:47:58 UTC 
Verified

Version ::

rhel-system-roles-1.16.2-1.el8_6.2.noarch

Testing against RHEL8:

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.6 (Ootpa)

# authselect current
Profile ID: sssd
Enabled features: None

# find /etc/sssd
/etc/sssd
/etc/sssd/conf.d
/etc/sssd/pki

# ansible-playbook -i 127.0.0.1, /tmp/test.yml 

PLAY [Install Session Recording] **********************************************************************

TASK [Gathering Facts] ********************************************************************************
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:QMxS8RRI5WxGwhw0/VKQC2iP2O470haBL7U2QiKZGIg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
ok: [127.0.0.1]

TASK [rhel-system-roles.tlog : Set platform/version specific variables] *******************************
ok: [127.0.0.1] => (item=RedHat.yml)
ok: [127.0.0.1] => (item=RedHat.yml)
ok: [127.0.0.1] => (item=RedHat_8.yml)
skipping: [127.0.0.1] => (item=RedHat_8.6.yml) 

TASK [rhel-system-roles.tlog : install session recording packages] ************************************
changed: [127.0.0.1]

TASK [rhel-system-roles.tlog : get the rpm package facts] *********************************************
ok: [127.0.0.1]

TASK [rhel-system-roles.tlog : install cockpit session recording] *************************************
skipping: [127.0.0.1]

TASK [rhel-system-roles.tlog : configure basic sssd] **************************************************
skipping: [127.0.0.1] => (item={'key': 'enable_files_domain', 'value': 'true'}) 
skipping: [127.0.0.1] => (item={'key': 'services', 'value': 'nss'}) 

TASK [rhel-system-roles.tlog : configure sssd session recording config] *******************************
changed: [127.0.0.1]

TASK [rhel-system-roles.tlog : Check with-files-domain feature exists] ********************************
ok: [127.0.0.1]

TASK [rhel-system-roles.tlog : Check if files domain is currently enabled] ****************************
ok: [127.0.0.1]

TASK [rhel-system-roles.tlog : update nsswitch] *******************************************************
skipping: [127.0.0.1]

TASK [rhel-system-roles.tlog : configure tlog rec session] ********************************************
changed: [127.0.0.1]

RUNNING HANDLER [rhel-system-roles.tlog : tlog_handler restart sssd] **********************************
changed: [127.0.0.1]

PLAY RECAP ********************************************************************************************
127.0.0.1                  : ok=9    changed=4    unreachable=0    failed=0    skipped=3    rescued=0    ignored=0   

# authselect current
Profile ID: sssd
Enabled features: None

# grep -i "^passwd:" /etc/nsswitch.conf
passwd:     sss files systemd

# find /etc/sssd
/etc/sssd
/etc/sssd/conf.d
/etc/sssd/conf.d/sssd-session-recording.conf
/etc/sssd/pki

# cat /etc/sssd/conf.d/sssd-session-recording.conf
#
# Ansible managed
#
[session_recording]
scope=all
users=
groups=
exclude_users=
exclude_groups=


# su - localuser8
Locale charset is ANSI_X3.4-1968 (ASCII)
Assuming locale environment is lost and charset is UTF-8

ATTENTION! Your session is being recorded!

# ^^ This is expected in RHEL8


######################################
Testing with RHEL9 target

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.0 (Plow)

# find /etc/sssd
/etc/sssd
/etc/sssd/conf.d
/etc/sssd/pki

# authselect current
Profile ID: sssd
Enabled features: None

#### Running ansible-playbook from RHEL8 controller

# ansible-playbook -i ${RHEL9_TARGET}, /tmp/test.yml 

PLAY [Install Session Recording] **********************************************************************

TASK [Gathering Facts] ********************************************************************************
The authenticity of host '$RHEL9_TARGET (IP_ADDR)' can't be established.
ECDSA key fingerprint is SHA256:QoXClALjAywn2lhwZDHKWlBsGpD8ZGnutDu7orVobOM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
ok: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : Set platform/version specific variables] *******************************
ok: [$RHEL9_TARGET] => (item=RedHat.yml)
ok: [$RHEL9_TARGET] => (item=RedHat.yml)
skipping: [$RHEL9_TARGET] => (item=RedHat_9.yml) 
skipping: [$RHEL9_TARGET] => (item=RedHat_9.0.yml) 

TASK [rhel-system-roles.tlog : install session recording packages] ************************************
changed: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : get the rpm package facts] *********************************************
ok: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : install cockpit session recording] *************************************
skipping: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : configure basic sssd] **************************************************
changed: [$RHEL9_TARGET] => (item={'key': 'enable_files_domain', 'value': 'true'})
changed: [$RHEL9_TARGET] => (item={'key': 'services', 'value': 'nss'})

TASK [rhel-system-roles.tlog : configure sssd session recording config] *******************************
changed: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : Check with-files-domain feature exists] ********************************
ok: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : Check if files domain is currently enabled] ****************************
ok: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : update nsswitch] *******************************************************
changed: [$RHEL9_TARGET]

TASK [rhel-system-roles.tlog : configure tlog rec session] ********************************************
changed: [$RHEL9_TARGET]

RUNNING HANDLER [rhel-system-roles.tlog : tlog_handler restart sssd] **********************************
changed: [$RHEL9_TARGET]

PLAY RECAP ********************************************************************************************
$RHEL9_TARGET : ok=11   changed=6    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   


Checking on RHEL9 system:

# authselect current
Profile ID: sssd
Enabled features:
- with-files-domain

# find /etc/sssd
/etc/sssd
/etc/sssd/conf.d
/etc/sssd/conf.d/sssd-session-recording.conf
/etc/sssd/pki
/etc/sssd/sssd.conf

# cat /etc/sssd/sssd.conf

[sssd]
enable_files_domain = true
services = nss

# cat /etc/sssd/conf.d/sssd-session-recording.conf
#
# Ansible managed
#
[session_recording]
scope=all
users=
groups=
exclude_users=
exclude_groups=

# su - localuser9
Locale charset is ANSI_X3.4-1968 (ASCII)
Assuming locale environment is lost and charset is UTF-8

ATTENTION! Your session is being recorded!
Comment 17 errata-xmlrpc 2022-05-10 17:14:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2138