RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
Summary: ipa-advise on a RHEL7 IdM server is not able to generate a configuration scri...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1788833
TreeView+ depends on / blocked
 
Reported: 2019-09-25 16:01 UTC by Sebastien Aime
Modified: 2024-06-13 22:15 UTC (History)
7 users (show)

Fixed In Version: ipa-4.6.6-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 19:58:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3936 0 None None None 2020-09-29 19:59:03 UTC

Description Sebastien Aime 2019-09-25 16:01:16 UTC
In order to configure a RHEL8 IdM client for smartcard authentication, one has to run ipa-advise on the IdM server to generate a configuration script [1].

If the IdM server runs on RHEL7, then this script is not suitable to configure a RHEL8 IdM client.

--- references ---
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/configuring-idm-for-smart-card-auth_managing-hosts-cli#conf-idm-client-for-smart-card-auth_configuring-idm-for-smart-card-auth

Comment 2 Florence Blanc-Renaud 2019-09-26 13:31:37 UTC
The differences between RHEL 7 and RHEL 8 clients are related to authconfig vs authselect (RHEL7 clients use authconfig while RHEL8 clients use authselect).
For instance on a RHEL 7 client the generated script runs the following command:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall

While on a RHEL8 client the generated script runs the following command:
authselect enable-feature with-smartcard
+ modifies /etc/sssd/sssd.conf to add "pam_cert_auth = True" in the [pam] section.

The generated script could be enhanced to detect whether authselect is available and call the right code.

Comment 3 Florence Blanc-Renaud 2019-11-05 15:57:58 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8113

Comment 4 Florence Blanc-Renaud 2019-11-08 11:59:21 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/87c24ebd34d4524b73d878f1298232547cafc5ba

Comment 6 Florence Blanc-Renaud 2020-01-28 09:53:50 UTC
RHEL-7.8 is already near the end of a Development Phase and development is being wrapped up. This bug is being moved to RHEL 7.9.
If you believe this particular bug should be reconsidered for 7.8, please let us know.

Comment 8 Florence Blanc-Renaud 2020-03-19 07:37:16 UTC
Hi Rizwan,
yes, your steps from #c7 are correct. Without the fix, the bash script would exit on error with return code = 1 and print "Failed to configure Smart Card authentication in SSSD". With the fix the bash script exits with return code = 0 and does not print the error message.

Comment 9 Mohammad Rizwan 2020-03-19 10:01:09 UTC
old version:
ipa-server-4.6.6-11.el7.x86_64 (rhel7.8)
ipa-client-4.8.4-6.module+el8.2.0+5774+71f22ff9.x86_64 (rhel8.2)

Steps:
1. Install rhel7.8 server and configure to use smartcard
2. Install rhel8.2 client against rhel7.8 server and configure to use smartcard
3. Run the client script generated at server on client.

Actual result:
~~~~~~~
Server:
~~~~~~~
[root@master ~]# ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
[root@master ~]# scp config-server-for-smart-card-auth.sh root.test:/root/

[root@master ~]# ipa-advise config-client-for-smart-card-auth > config-client-for-smart-card-auth.sh
[root@master ~]# scp config-client-for-smart-card-auth.sh root.test:/root/

[root@master ~]# scp /etc/ipa/ca.crt root.test:/root/


~~~~~~~
Client:
~~~~~~~

[root@client ~]# chmod +x  config-client-for-smart-card-auth.sh 
[root@client ~]# ./config-client-for-smart-card-auth.sh ca.crt
[...]
Traceback (most recent call last):
  File "/usr/sbin/authconfig", line 656, in <module>
    main()
  File "/usr/sbin/authconfig", line 645, in main
    authcompat.runAuthselect()
  File "/usr/sbin/authconfig", line 562, in runAuthselect
    features.remove("with-smartcard-lock-on-removal")
ValueError: list.remove(x): x not in list
Failed to configure Smart Card authentication in SSSD

Comment 13 Mohammad Rizwan 2020-04-06 10:56:28 UTC
Automation passed. Logs are attached.

Comment 15 errata-xmlrpc 2020-09-29 19:58:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936


Note You need to log in before you can comment on or make changes to this bug.