Bug 241657

Summary: Several options for auth and rootpw gets ignored
Product: Red Hat Enterprise Linux 5 Reporter: Klaus Ethgen <Klaus+rhbz>
Component: pykickstartAssignee: Chris Lumens <clumens>
Status: CLOSED ERRATA QA Contact: Alexander Todorov <atodorov>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5.0CC: atodorov, borgan, clusterman, sghosh, Stuart.Kirk, syeghiay, tmraz
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 11:53:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
pykickstart portion of the patch
none
anaconda portion of the patch none

Description Klaus Ethgen 2007-05-29 12:37:08 UTC 
Description of problem:
I have the following part in my kickstart for EL5:
 auth --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --
ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch ldaps03.ethz.ch" --
ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --enableldaptls
 rootpw --iscrypted $1$xxxxxxxxxxxxxxxx.xxxxxxxxxxxx

When the system is installed I have _no_ /etc/shadow and _no_ /etc/gshadow! 
More over I have a 'x' in the password part of root in /etc/passwd so it is 
impossible to login and fix it. (In RHEL4 the shadow system was also not 
initiated but there at least the password was written to /etc/passwd so it was 
possible to run pwconv and grpconv in %post.)

And farther, the nsswitch.conf has no ldap releated settings as it should be in 
the documentation. But there is some nisplus settings which is useless for me 
as we do not use it.

I do not need to tell that /etc/ldap.conf is unconfigured.

At last the --enablekrb5 do nothing. There is no configuration done for 
enabling krb5 in pam.

How reproducible:
Just use the two lines above for kickstarting a system
Comment 1 Chris Lumens 2007-05-30 19:08:38 UTC 
It's because of the spaces in your ldapserver line.  There's a bug in the
processing of the authconfig command in kickstart files which is causing
authconfig to fail.  The result is all the various problems you're seeing above.
 I'm attaching a couple patches for my own reference to this to fix the problem
in the next update release.
Comment 2 Chris Lumens 2007-05-30 19:09:41 UTC 
Created attachment 155732 [details]
pykickstart portion of the patch
Comment 3 Chris Lumens 2007-05-30 19:11:40 UTC 
Created attachment 155733 [details]
anaconda portion of the patch
Comment 4 Klaus Ethgen 2007-05-31 10:15:14 UTC 
OK, I changed the line to
auth --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --
ldapserver="ldaps01.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --
enableldaptls

But there is still nisplus settings in nsswitch.conf. Also the enableldaptls is 
not work properly as the entry is "uri ldap://..." and not "uri ldaps://...".
Comment 5 Chris Lumens 2007-05-31 13:20:34 UTC 
Those sound like authconfig bugs to me, as all anaconda's doing is passing your
arguments to authconfig and it does the rest.  Please file an additional bug
with that component on your nis and ldap issues.
Comment 6 Fedora Update System 2007-06-08 15:54:23 UTC 
pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2007-06-20 20:04:56 UTC 
pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Klaus Ethgen 2007-06-21 12:02:20 UTC 
Sorry, but the bug is related to Enterprise Linux 5 and is not solved there!
Comment 9 Chris Lumens 2007-06-21 13:50:03 UTC 
Stupid script.
Comment 10 RHEL Program Management 2007-12-03 20:43:05 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 12 Chris Lumens 2009-04-16 21:04:25 UTC 
Thanks for your patience.  I have committed a patch for this bug to the pykickstart repo, and it should be fixed in the next build.  That will be pykickstart-0.43.4-1.
Comment 14 Alexander Todorov 2009-05-25 12:10:21 UTC 
Using exactly the same line as in comment #4 with pykickstart-0.43.4-1.el5 I get:

/etc/shadow and /etc/gshadow are created
MD5 is enabled
/etc/pam.d/system-auth is configured to use kerberos modules

ldap is enabled and /etc/ldap.conf has:
uri ldap://"ldaps01.ethz.ch"/
ssl start_tls


I'm not sure how to check if --enablecache is working correctly and the uri in ldap.conf doesn't seem correct. However when adding two or more ldap servers as in:
--ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch"

there's a message on tty1:
authconfig: unexpected argument

and the configuration is not what is expected. 

This doesn't look quite fixed.
Comment 15 Klaus Ethgen 2009-05-25 12:26:47 UTC 
> uri ldap://"ldaps01.ethz.ch"/

And exact that is the problem. It should be "uri ldaps://ldaps01.ethz.ch/". With "s" but without ".
Comment 16 Alexander Todorov 2009-05-25 12:33:13 UTC 
(In reply to comment #15)
> > uri ldap://"ldaps01.ethz.ch"/
> 
Also note the quotes. I suspect they have to be stripped before going into the configuration file.
Comment 17 Chris Lumens 2009-05-26 14:31:56 UTC 
Yes they do need to be stripped, but not by pykickstart.  We are just passing everything after the auth command's keyword directly to authconfig now, so this is the equivalent of running authconfig --ldapserver="ldaps01:blahblahblah".  If authconfig can't handle quotes there, it's either a bug in authconfig or invalid usage.  Regardless, there's nothing we should do in pykickstart.
Comment 18 Alexander Todorov 2009-05-28 10:06:59 UTC 
Chris,
on a recent RHEL system running:
authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --enableldaptls --update


post installation I see two differences:

1) The quotes for --ldapserver don't make it to ldap.conf
2) I don't get an error when the parameter has spaces (I have 2 servers specified)

Can we get an updates.img with verbose logging to see what's the exact line of authconfig executed?

Klaus,
in ldap.conf I get:

uri ldap://ldaps01.ethz.ch ldaps02.ethz.ch/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts


There's no ldapS:// but the uri itself looks incorrect. Can you verify that specifying two servers the way you do is a valid usage and if the expected uri should have the "s". Also if there need to be separate lines for each server such as:
uri ldap://ldaps01.ethz.ch/
uri ldap://ldaps02.ethz.ch/

There could be a bug (or few bugs) in the authconfig command itself.
Comment 19 Tomas Mraz 2009-05-28 14:02:27 UTC 
This is incorrect call to authconfig. The correct one is:
authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap
--ldapserver="ldaps://ldaps01.ethz.ch/,ldaps://ldaps02.ethz.ch/" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --update

The uris must be fully specified and separated by commas. Also if they want ldaps protocol they most probably don't want to enable starttls.
Comment 20 Alexander Todorov 2009-05-29 10:55:26 UTC 
Thanks Tomas.

Testing with the proper command syntax in comment #19 I didn't see anything wrong after installation is completed. I'll move this to verified. If something doesn't work it will be more likely improper usage or authconfig bug.
Comment 22 errata-xmlrpc 2009-09-02 11:53:30 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1387.html