Hide Forgot
Description of problem: # authselect current Profile ID: sssd Enabled features: None # authselect enable-feature blah # authselect current Profile ID: sssd Enabled features: - blah Version-Release number of selected component (if applicable): authselect-1.0.1-2.fc29.x86_64 I get into trouble because to enable smartcard you enable "with-smartcard" instead of "with-smartcard".
Thank you. Upstream ticket: https://github.com/pbrezina/authselect/issues/107
Can you please try this scratch build? https://koji.fedoraproject.org/koji/taskinfo?taskID=31016568 Calling `authselect select $profile unknown-feature` will result an error and it will suggest the most relevant feature in case it is only a typo. $ authselect select sssd with-smartcards [error] Unknown profile feature [with-smartcards], did you mean [with-smartcard]? [error] Unable to activate profile [sssd] [22]: Invalid argument Unable to activate profile [22]: Invalid argument If feature is removed from profile, calling `authselect apply-changes` will disable this feature and it will report it as a warning. This of course should not be common use case as profile should not drop a feature without a strong reason. After manually removing with-sudo feature fortesting purpose: $ sudo authselect apply-changes --warn [warn] Profile feature [with-sudo] is no longer supported, removing it... Changes were successfully applied.
Thanks, that looks a lot better. To be a little nit-picky - the errors seem a bit too verbose: [error] Unknown profile feature [sudo], did you mean [with-sudo]? [error] Unable to activate profile [sssd] [22]: Invalid argument Unable to enable feature [22]: Invalid argument Could it just be a single line like: [error] Unknown profile feature [sudo] for profile [sssd], did you mead [with-sudo]? But either way, this will help a lot.
authselect-1.0.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-eef7934b44
authselect-1.0.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32941d1d45
Thank you for testing. I kept the error reporting as is for now. I might improve it in the future across the whole code base.
authselect-1.0.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32941d1d45
authselect-1.0.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-eef7934b44
authselect-1.0.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
This seems to be breaking IPA uninstallation, which fails PKI CI. Could you take a look? Thanks. Forcing removal of master.pki.test ------------------------------------ Deleted IPA server "master.pki.test" ------------------------------------ Shutting down all IPA services Unconfiguring KRA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa-otpd Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations WARNING: Unable to revert to the pre-installation state ('authconfig' tool has been deprecated in favor of 'authselect'). The default sssd profile will be used instead. The authconfig arguments would have been: authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir Failed to remove krb5/LDAP configuration: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', '', '--force'] returned non-zero exit status 1: '[error] Unknown profile feature []\n[error] Unable to activate profile [sssd] [22]: Invalid argument\nUnable to activate profile [22]: Invalid argument\n') The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information Removing IPA client configuration Uninstall of client side components failed!
authselect-1.0.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Endi: I caught that too (unfortunately after the update went stable, as the Fedora critpath definition is not being properly updated so authselect is not considered to be critpath, so openQA didn't test the authselect update :<). It's really a bug in FreeIPA, I'd say: I've sent a patch - https://github.com/freeipa/freeipa/pull/2610 . It was passing an entirely empty features arg to authselect, which is kinda a dumb thing to do. You can actually see this in the error message if you look carefully: "Command ['/usr/bin/authselect', 'select', 'sssd', '', '--force'] returned non-zero exit status 1" note the '' in that list. authselect *could* be smart enough to ignore the arg if it's just an empty string, I guess, but fixing FreeIPA to just not send an empty arg like that seems reasonable.
Darn... its always the simple things that are least expected. Next time, I will ping someone from ipa to tests new release. In my opinion, calling command with empty parameter that is not supposed to be empty is a bug. But yes, authselect does not have any need to fail in such situation. I opened upstream ticket: https://github.com/pbrezina/authselect/issues/122
Ideally, openQA tests would have run on the update while it was in updates-testing and caught the problem before it went stable. Unfortunately, because Bodhi doesn't think authselect is in the critpath and openQA is set to only run tests on critpath updates (we don't have enough resources to test all updates), that didn't happen :( I've added authselect to the openQA scheduler's special packages-to-test whitelist now, so going forward, authselect updates will be tested. Look out for failures on the 'Automated Tests' tab of future updates; if you see any, and have any trouble understanding whether it's a real bug and what the problem is, just ping me. Thanks!
dogtag-pki-10.6.8-1.fc29 freeipa-4.7.2-1.fc29 jss-4.5.1-1.fc29 nuxwdog-1.0.5-3.fc29 pki-core-10.6.8-3.fc29 tomcatjss-7.3.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f
dogtag-pki-10.6.8-1.fc28 freeipa-4.7.2-1.fc28 jss-4.5.1-1.fc28 nuxwdog-1.0.5-3.fc28 pki-core-10.6.8-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e
dogtag-pki-10.6.8-3.fc28, freeipa-4.7.2-1.fc28, jss-4.5.1-1.fc28, nuxwdog-1.0.5-3.fc28, pki-core-10.6.8-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e
dogtag-pki-10.6.8-3.fc29, freeipa-4.7.2-1.fc29, jss-4.5.1-1.fc29, nuxwdog-1.0.5-3.fc29, pki-core-10.6.8-3.fc29, tomcatjss-7.3.6-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f
dogtag-pki-10.6.8-3.fc29, freeipa-4.7.2-1.fc29, jss-4.5.1-1.fc29, nuxwdog-1.0.5-3.fc29, pki-core-10.6.8-3.fc29, tomcatjss-7.3.6-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
dogtag-pki-10.6.8-3.fc28, freeipa-4.7.2-1.fc28, jss-4.5.1-1.fc28, nuxwdog-1.0.5-3.fc28, pki-core-10.6.8-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.