Bug 2190340

Hi Sunny, IIRC if kickstart is provided Anaconda does not call authselect. So I believe that authselect call should be part of this kickstart.

Authselect does not execute itself after installation on RHEL8/9 (it happens on F36+ https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory). Anaconda is responsible for calling it.

I moved this to Anaconda for confirmation, but I don't know if the kickstart itself is part of anaconda component or some other.

Hi Pavel,

I looked to the code and it seems we are enabling fingerprint with the automatic installation by default:

https://github.com/rhinstaller/anaconda/blob/6f34f4c2d7afaf0b597af6d77d56068895283d34/pyanaconda/modules/security/installation.py#L441


However, we tested this with interactive installation and the issue is there too but no call of authselect is done by Anaconda (nothing in the logs). So it seems that this issue is specific to the installation of packages. Problematic packaging (scriptlet) or missing dependency on minimal-environment. 

This issue seems to not be related to Anaconda, switching component back. Feel free to contact us to debug this issue.

Hi Jiří, can you please check rhel9 branch? The behavior has changed in Fedora 36 (authselect rpm scriptlet takes care of it, thus you only call enable-feature for fingerprint), but anaconda is responsible for enabling authselect for rhel8 and rhel9.

https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L421
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L382

If I remember it correctly, this only happens if not kickstart is provided. If kickstart is given, it should contain `%authselect select ...` call. Is this correct?

You are correct that I unfortunately put here incorrect branch link. However, seems to be the same it should not be executed.

So in more detail.

Fingerprint is enabled only for interactive installations:
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/startup_utils.py#L582 - here is the check
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L187 - stored into the variable of module
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L309 - propagated to the installation task
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L406 - and here it will skip the authselect call

So the fingerprint shouldn't be used in this call in any case.

For the user configuration:
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L79 - here we look for the kickstart data configuration (these are empty because authselect command is not part of the kickstart)
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L313 - here the processed KS data are passed to the installation task
https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L440 - here we have check to not run authselect command in case it's empty


As you can check it should not be executed on RHEL-9. Also if it would be executed we should have it in the logs. Another reason why it's probably not in Anaconda is that it's happening based on the package selection - Anaconda does not changing logic based on the package selection.

Hope this debugging helped you.

Well, this is unsatisfying. I always lived with an impression that the behavior is:

```
if fingerprint:
  authselect select sssd with-fingerprint with-silent-lastlog --force
else if no fingerprint and no kickstart
  authselect select sssd with-silent-lastlog --force

if kickstart
  authselect $kickstartcommand
```

From authselect perspective, there is nothing we can do, because anaconda installs it. This is a bug in Anaconda and ideally the logic should be fixed in RHEL-8 and RHEL-9, but I'm not sure we should do it as it would change customers new installations.

Before we decide, how gets sssd profile selected for server variant? Only anaconda or kickstart can do it.

Ping

Hi, the fingerprint configuration actually depends on the installed packages, because we are looking for the pam_fprintd.so library to confirm that this configuration is supported [0].

From syslog of the minimal installation:
15:44:24,223 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureSELinuxTask-1 (139939652093504)
15:44:25,231 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Running Thread: AnaTaskThread-ConfigureFingerprintAuthTask-1 (139939652093504)
15:44:25,234 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Fingerprint conifguration is not supported on target system.
15:44:25,235 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureFingerprintAuthTask-1 (139939652093504)

From syslog of the server installation:
15:53:59,108 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Running Thread: AnaTaskThread-ConfigureFingerprintAuthTask-1 (140283804624448)
15:53:59,111 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Enabling fingerprint authentication.
15:53:59,111 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Configuring authentication: /usr/bin/authselect ['select', 'sssd', 'with-fingerprint', 'with-silent-lastlog', '--force']
15:53:59,112 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Running in chroot '/mnt/sysroot'... /usr/bin/authselect select sssd with-fingerprint with-silent-lastlog --force
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Backup stored at /var/lib/authselect/backups/2023-07-31-15-53-59.ScNsRd
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Profile "sssd" was selected.
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:The following nsswitch maps are overwritten by the profile:
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- passwd
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- group
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- netgroup
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- automount
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- services
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- with-fingerprint is selected, make sure fprintd service is configured and enabled
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:
15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:program:Return code: 0
15:53:59,265 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureFingerprintAuthTask-1 (140283804624448)

As you can see from the first log, we are not able to find the pam_fprintd.so library on the minimal installation, so we don't run authselect at all. There is no fallback [1] and I don't remember ever having such a fallback.

It looks like the pam_fprintd.so library is provided by the fprintd-pam package, which is part of the Standard group [2], but that it not a mandatory group of the Minimal Install environment [3]. Therefore this package is not installed by default on minimal installations.

[0] https://github.com/rhinstaller/anaconda/blob/f8748fbc16110ce786ce4da8452684358ce67deb/pyanaconda/modules/security/installation.py#L401-L403
[1] https://github.com/rhinstaller/anaconda/blob/f8748fbc16110ce786ce4da8452684358ce67deb/pyanaconda/modules/security/installation.py#L410
[2] https://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/AppStream/x86_64/os/repodata/51e7d7dcd7b00e04e65241cade4f8dc43ed8c80874b2becc1e8110350a5a7501-comps-AppStream.x86_64.xml
[3] https://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/BaseOS/x86_64/os/repodata/93b5f987d53813e6054458afa107388c54b50546d22add098de24289df278266-comps-BaseOS.x86_64.xml

Thank you for clarification.

I always lived in the impression that authselect is always called, Anaconda just enables the fingerprint support if needed. Was this always like this in Fedora as well?

Anyway, Fedora is resolved now since using authselect is mandatory and it does no longer depend on Anaconda. In RHEL, leapp actors automatically converts system to authselect during upgrade from rhel7 and it is enabled on Server (and Workstation?) automatically so only minimal version is affected. I propose to switch it to relevant component and let them decide if authselect should be included in kickstart or not.

What component is responsible for creating the minimal installation?

Hi Josh/Adam,

Can you point us in the right direction? We are looking for this information for a while.

Kindly

(In reply to Andre Boscatto from comment #10)
> Hi Josh/Adam,
> 
> Can you point us in the right direction? We are looking for this information
> for a while.
> 
> Kindly

There is no bugzilla component for individual installation types.  The "distribution" component is the closest you'll get.

That said, it's called the minimal install for a reason.  We are unlikely to change it without some very critical rationale.

(I believe Josh has provided the info needed.)