Bug 241657
Summary: | Several options for auth and rootpw gets ignored | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Klaus Ethgen <Klaus+rhbz> | ||||||
Component: | pykickstart | Assignee: | Chris Lumens <clumens> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Alexander Todorov <atodorov> | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 5.0 | CC: | atodorov, borgan, clusterman, sghosh, Stuart.Kirk, syeghiay, tmraz | ||||||
Target Milestone: | rc | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-09-02 11:53:30 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Klaus Ethgen
2007-05-29 12:37:08 UTC
It's because of the spaces in your ldapserver line. There's a bug in the processing of the authconfig command in kickstart files which is causing authconfig to fail. The result is all the various problems you're seeing above. I'm attaching a couple patches for my own reference to this to fix the problem in the next update release. Created attachment 155732 [details]
pykickstart portion of the patch
Created attachment 155733 [details]
anaconda portion of the patch
OK, I changed the line to auth --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap -- ldapserver="ldaps01.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" -- enableldaptls But there is still nisplus settings in nsswitch.conf. Also the enableldaptls is not work properly as the entry is "uri ldap://..." and not "uri ldaps://...". Those sound like authconfig bugs to me, as all anaconda's doing is passing your arguments to authconfig and it does the rest. Please file an additional bug with that component on your nis and ldap issues. pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. Sorry, but the bug is related to Enterprise Linux 5 and is not solved there! Stupid script. This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. This request will be reviewed for a future Red Hat Enterprise Linux release. Thanks for your patience. I have committed a patch for this bug to the pykickstart repo, and it should be fixed in the next build. That will be pykickstart-0.43.4-1. Using exactly the same line as in comment #4 with pykickstart-0.43.4-1.el5 I get: /etc/shadow and /etc/gshadow are created MD5 is enabled /etc/pam.d/system-auth is configured to use kerberos modules ldap is enabled and /etc/ldap.conf has: uri ldap://"ldaps01.ethz.ch"/ ssl start_tls I'm not sure how to check if --enablecache is working correctly and the uri in ldap.conf doesn't seem correct. However when adding two or more ldap servers as in: --ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch" there's a message on tty1: authconfig: unexpected argument and the configuration is not what is expected. This doesn't look quite fixed. > uri ldap://"ldaps01.ethz.ch"/
And exact that is the problem. It should be "uri ldaps://ldaps01.ethz.ch/". With "s" but without ".
(In reply to comment #15) > > uri ldap://"ldaps01.ethz.ch"/ > Also note the quotes. I suspect they have to be stripped before going into the configuration file. Yes they do need to be stripped, but not by pykickstart. We are just passing everything after the auth command's keyword directly to authconfig now, so this is the equivalent of running authconfig --ldapserver="ldaps01:blahblahblah". If authconfig can't handle quotes there, it's either a bug in authconfig or invalid usage. Regardless, there's nothing we should do in pykickstart. Chris, on a recent RHEL system running: authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --enableldaptls --update post installation I see two differences: 1) The quotes for --ldapserver don't make it to ldap.conf 2) I don't get an error when the parameter has spaces (I have 2 servers specified) Can we get an updates.img with verbose logging to see what's the exact line of authconfig executed? Klaus, in ldap.conf I get: uri ldap://ldaps01.ethz.ch ldaps02.ethz.ch/ ssl start_tls tls_cacertdir /etc/openldap/cacerts There's no ldapS:// but the uri itself looks incorrect. Can you verify that specifying two servers the way you do is a valid usage and if the expected uri should have the "s". Also if there need to be separate lines for each server such as: uri ldap://ldaps01.ethz.ch/ uri ldap://ldaps02.ethz.ch/ There could be a bug (or few bugs) in the authconfig command itself. This is incorrect call to authconfig. The correct one is: authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --ldapserver="ldaps://ldaps01.ethz.ch/,ldaps://ldaps02.ethz.ch/" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --update The uris must be fully specified and separated by commas. Also if they want ldaps protocol they most probably don't want to enable starttls. Thanks Tomas. Testing with the proper command syntax in comment #19 I didn't see anything wrong after installation is completed. I'll move this to verified. If something doesn't work it will be more likely improper usage or authconfig bug. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1387.html |