Description of problem: "authconfig --update" might cause system disable logins. Please don't call it at all. Version-Release number of selected component (if applicable): fprintd-0.7.0-1.fc26 fprintd-0.7.0-2.fc26 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: "authconfig --update" is called Expected results: "authconfig --update" is not called Additional info:
I notified fedora-devel: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/G7XGBKTJDZ6MTQVTFP6CFKVO64FCHS4Z/
Hi, I think calling 'authconfig --update' is ok and the issue is that the changes from rhbz#1195817 break your login. There is a know issue when using SSSD with the proxy id provider with the new PAM configuration introduced in Fedora 22 which we currently try to fix. Are you using SSSD with the proxy provider and proxy_lib_name=files? bye, Sumit
No, I am not using proxy_lib_name. The thing is that I am using local user of the same name as my ldap user. So I used to use Kerberos password for authentication, but alternatively, I could use also my local password. The change from bug 1195817 was not applied and my configuration was not updated as long as "authconfig --update" was not called. And it was called recently by %post scriptlet of of fprintd due to update from 0.7.0-1.fc26 to 0.7.0-2.fc26. I had to change to USENIS=yes to re-enable the previous configuration.
Ok, thank you for the details. The setup is similar to the one I described with the proxy provider, the user is manged in /etc/passwd but if pam_unix fails to validate the password it is not forwarded to pam_sss. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1329598#c13 for the plan we have to resolve this: "allow pam_sss to pick passwords from the PAM stack in a more flexible manner (https://fedorahosted.org/sssd/ticket/2984) and then replace 'default=die' in the PAM configuration with 'default=ignore'. Then a password entered via pam_unix will then be forwarded to pam_sss if pam_unix cannot handle it. In this case pam_sss will try password authentication for the user." Do you agree to move the ticket to the authconfig component as rhbz#1329598 so that they ca be handled in parallel? Since the tickets are for different products it should not be closed as duplicate.
(In reply to Sumit Bose from comment #4) > Do you agree to move the ticket to the authconfig component as rhbz#1329598 > so that they ca be handled in parallel? Since the tickets are for different > products it should not be closed as duplicate. This would be ok for the sssd/authconfig part ... But the update from fprintd-0.7.0-1.fc26 => fprintd-0.7.0-2.fc26 disables the fingerprint reader anyway, so there is still something to do for fprintd. The installation should probably enable the fingerprint support in similar manner it disables it or something along the lines ...
I think the issue is fixed in fprintd-0.7.0-2.fc26 by only calling authconfig during a real uninstall: +if [ $1 -eq 0 ]; then + /sbin/authconfig --disablefingerprint --update || : +fi in 0.6.0-5 the unconditional #%postun pam +/sbin/authconfig --disablefingerprint --update was added and as you can see in https://fedoraproject.org/wiki/Packaging:Scriptlets?rd=Packaging:ScriptletSnippets#Scriptlet_Ordering %postun of the old package is called even during upgrades. Since %posttrans is the only scriptlet of the new package which is called after %postun of the old package this is the only place where it might possible to undo the unconditional disabling of fprintd done by 0.6.0-5 and 0.7.0-1. But for this the old state if fprintd was enabled before the update or not must be stored somewhere maybe by %post from the new package. Maybe just a message log message during the upgrade to check if fprintd authentication is in the right state might be easier?
*** This bug has been marked as a duplicate of bug 1398371 ***
(In reply to Bastien Nocera from comment #7) > > *** This bug has been marked as a duplicate of bug 1398371 *** Excuse me, but have you even read the discussion closing the bug without any justification? 1) Anabody who updates fprintd-0.7.0-1.fc26 => fprintd-0.7.0-2.fc26 will have disabled the fingerprint reader. What is your suggestion on this? 2) Call to "authconfig --update" might break some systems, possibly prevent users from login into system at all. Everything just to avoid one warning in logs? Are you okay with this?
(In reply to Vít Ondruch from comment #8) > (In reply to Bastien Nocera from comment #7) > > > > *** This bug has been marked as a duplicate of bug 1398371 *** > > Excuse me, but have you even read the discussion closing the bug without any > justification? It's closed as a duplicate. The justification being that it's the same bug as mentioned in the other bug. Which you didn't read because the errata logs mention the very issue in this bug. I also don't like getting yelled at. > 1) Anabody who updates fprintd-0.7.0-1.fc26 => fprintd-0.7.0-2.fc26 will > have disabled the fingerprint reader. What is your suggestion on this? That you read the errata messages. > 2) Call to "authconfig --update" might break some systems, possibly prevent > users from login into system at all. Everything just to avoid one warning in > logs? Are you okay with this? Yes, if that means that people don't file bugs about those warnings. If you want to help fix whatever problem it is you're reporting, because that's really not clear to me, then do work on documenting the expected behaviour of packages requiring PAM modules, instead of flipping out in bugzilla, and splitting the discussion in 2 places (here and fedora-devel).
(In reply to Bastien Nocera from comment #9) > (In reply to Vít Ondruch from comment #8) > > (In reply to Bastien Nocera from comment #7) > > > > > > *** This bug has been marked as a duplicate of bug 1398371 *** > > > > Excuse me, but have you even read the discussion closing the bug without any > > justification? > > It's closed as a duplicate. The justification being that it's the same bug > as mentioned in the other bug. Which you didn't read because the errata logs > mention the very issue in this bug. I also don't like getting yelled at. I read all the bugs related to this issue and I even linked them to this ticket. And my request from the beginning is "Don't call "authconfig --update"" in your package. The first attempt in was wrong and the second update to make the situation better resulted it my system being broken. No other package is calling the "authconfig --update" and although the authconfig maintainer suggested this in [1], I reached him yesterday and his statement was that calling "authconfig --update" is generally not a good idea. This command is not called even after authconfig updates, which might introduce new defaults etc. > > 1) Anabody who updates fprintd-0.7.0-1.fc26 => fprintd-0.7.0-2.fc26 will > > have disabled the fingerprint reader. What is your suggestion on this? > > That you read the errata messages. Actually, I would love to, but there are no errata for Rawhide, which I am user of and which this was reported against. > > 2) Call to "authconfig --update" might break some systems, possibly prevent > > users from login into system at all. Everything just to avoid one warning in > > logs? Are you okay with this? > > Yes, if that means that people don't file bugs about those warnings. > > If you want to help fix whatever problem it is you're reporting, because > that's really not clear to me, then do work on documenting the expected > behaviour of packages requiring PAM modules, instead of flipping out in > bugzilla, and splitting the discussion in 2 places (here and fedora-devel). Come on! My original email to -devel was just heads up to other people. You closed this ticket without any response just to let me later discover you replied on -devel. Where was I supposed to reply then? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1203671#c2
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.