Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Several options for auth and rootpw gets ignored|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Klaus Ethgen <Klaus+rhbz>|
|Component:||pykickstart||Assignee:||Chris Lumens <clumens>|
|Status:||CLOSED ERRATA||QA Contact:||Alexander Todorov <atodorov>|
|Version:||5.0||CC:||atodorov, borgan, clusterman, sghosh, Stuart.Kirk, syeghiay, tmraz|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-09-02 07:53:30 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Klaus Ethgen 2007-05-29 08:37:08 EDT
Description of problem: I have the following part in my kickstart for EL5: auth --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap -- ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch ldaps03.ethz.ch" -- ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --enableldaptls rootpw --iscrypted $1$xxxxxxxxxxxxxxxx.xxxxxxxxxxxx When the system is installed I have _no_ /etc/shadow and _no_ /etc/gshadow! More over I have a 'x' in the password part of root in /etc/passwd so it is impossible to login and fix it. (In RHEL4 the shadow system was also not initiated but there at least the password was written to /etc/passwd so it was possible to run pwconv and grpconv in %post.) And farther, the nsswitch.conf has no ldap releated settings as it should be in the documentation. But there is some nisplus settings which is useless for me as we do not use it. I do not need to tell that /etc/ldap.conf is unconfigured. At last the --enablekrb5 do nothing. There is no configuration done for enabling krb5 in pam. How reproducible: Just use the two lines above for kickstarting a system
Comment 1 Chris Lumens 2007-05-30 15:08:38 EDT
It's because of the spaces in your ldapserver line. There's a bug in the processing of the authconfig command in kickstart files which is causing authconfig to fail. The result is all the various problems you're seeing above. I'm attaching a couple patches for my own reference to this to fix the problem in the next update release.
Comment 2 Chris Lumens 2007-05-30 15:09:41 EDT
Created attachment 155732 [details] pykickstart portion of the patch
Comment 3 Chris Lumens 2007-05-30 15:11:40 EDT
Created attachment 155733 [details] anaconda portion of the patch
Comment 4 Klaus Ethgen 2007-05-31 06:15:14 EDT
OK, I changed the line to auth --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap -- ldapserver="ldaps01.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" -- enableldaptls But there is still nisplus settings in nsswitch.conf. Also the enableldaptls is not work properly as the entry is "uri ldap://..." and not "uri ldaps://...".
Comment 5 Chris Lumens 2007-05-31 09:20:34 EDT
Those sound like authconfig bugs to me, as all anaconda's doing is passing your arguments to authconfig and it does the rest. Please file an additional bug with that component on your nis and ldap issues.
Comment 6 Fedora Update System 2007-06-08 11:54:23 EDT
pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2007-06-20 16:04:56 EDT
pykickstart-1.1.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Klaus Ethgen 2007-06-21 08:02:20 EDT
Sorry, but the bug is related to Enterprise Linux 5 and is not solved there!
Comment 9 Chris Lumens 2007-06-21 09:50:03 EDT
Comment 10 RHEL Product and Program Management 2007-12-03 15:43:05 EST
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. This request will be reviewed for a future Red Hat Enterprise Linux release.
Comment 12 Chris Lumens 2009-04-16 17:04:25 EDT
Thanks for your patience. I have committed a patch for this bug to the pykickstart repo, and it should be fixed in the next build. That will be pykickstart-0.43.4-1.
Comment 14 Alexander Todorov 2009-05-25 08:10:21 EDT
Using exactly the same line as in comment #4 with pykickstart-0.43.4-1.el5 I get: /etc/shadow and /etc/gshadow are created MD5 is enabled /etc/pam.d/system-auth is configured to use kerberos modules ldap is enabled and /etc/ldap.conf has: uri ldap://"ldaps01.ethz.ch"/ ssl start_tls I'm not sure how to check if --enablecache is working correctly and the uri in ldap.conf doesn't seem correct. However when adding two or more ldap servers as in: --ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch" there's a message on tty1: authconfig: unexpected argument and the configuration is not what is expected. This doesn't look quite fixed.
Comment 15 Klaus Ethgen 2009-05-25 08:26:47 EDT
> uri ldap://"ldaps01.ethz.ch"/ And exact that is the problem. It should be "uri ldaps://ldaps01.ethz.ch/". With "s" but without ".
Comment 16 Alexander Todorov 2009-05-25 08:33:13 EDT
(In reply to comment #15) > > uri ldap://"ldaps01.ethz.ch"/ > Also note the quotes. I suspect they have to be stripped before going into the configuration file.
Comment 17 Chris Lumens 2009-05-26 10:31:56 EDT
Yes they do need to be stripped, but not by pykickstart. We are just passing everything after the auth command's keyword directly to authconfig now, so this is the equivalent of running authconfig --ldapserver="ldaps01:blahblahblah". If authconfig can't handle quotes there, it's either a bug in authconfig or invalid usage. Regardless, there's nothing we should do in pykickstart.
Comment 18 Alexander Todorov 2009-05-28 06:06:59 EDT
Chris, on a recent RHEL system running: authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --ldapserver="ldaps01.ethz.ch ldaps02.ethz.ch" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --enableldaptls --update post installation I see two differences: 1) The quotes for --ldapserver don't make it to ldap.conf 2) I don't get an error when the parameter has spaces (I have 2 servers specified) Can we get an updates.img with verbose logging to see what's the exact line of authconfig executed? Klaus, in ldap.conf I get: uri ldap://ldaps01.ethz.ch ldaps02.ethz.ch/ ssl start_tls tls_cacertdir /etc/openldap/cacerts There's no ldapS:// but the uri itself looks incorrect. Can you verify that specifying two servers the way you do is a valid usage and if the expected uri should have the "s". Also if there need to be separate lines for each server such as: uri ldap://ldaps01.ethz.ch/ uri ldap://ldaps02.ethz.ch/ There could be a bug (or few bugs) in the authconfig command itself.
Comment 19 Tomas Mraz 2009-05-28 10:02:27 EDT
This is incorrect call to authconfig. The correct one is: authconfig --enablemd5 --enableshadow --enablecache --enablekrb5 --enableldap --ldapserver="ldaps://ldaps01.ethz.ch/,ldaps://ldaps02.ethz.ch/" --ldapbasedn="ou=isg,ou=inf,ou=auth,o=ethz,c=ch" --update The uris must be fully specified and separated by commas. Also if they want ldaps protocol they most probably don't want to enable starttls.
Comment 20 Alexander Todorov 2009-05-29 06:55:26 EDT
Thanks Tomas. Testing with the proper command syntax in comment #19 I didn't see anything wrong after installation is completed. I'll move this to verified. If something doesn't work it will be more likely improper usage or authconfig bug.
Comment 22 errata-xmlrpc 2009-09-02 07:53:30 EDT
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1387.html