Bug 1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
Summary: ipa-advise on a RHEL7 IdM server is not able to generate a configuration scri...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
Depends On:
Blocks: 1788833
TreeView+ depends on / blocked
Reported: 2019-09-25 16:01 UTC by Sebastien Aime
Modified: 2020-09-20 13:38 UTC (History)
7 users (show)

Fixed In Version: ipa-4.6.6-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Sebastien Aime 2019-09-25 16:01:16 UTC
In order to configure a RHEL8 IdM client for smartcard authentication, one has to run ipa-advise on the IdM server to generate a configuration script [1].

If the IdM server runs on RHEL7, then this script is not suitable to configure a RHEL8 IdM client.

--- references ---
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/configuring-idm-for-smart-card-auth_managing-hosts-cli#conf-idm-client-for-smart-card-auth_configuring-idm-for-smart-card-auth

Comment 2 Florence Blanc-Renaud 2019-09-26 13:31:37 UTC
The differences between RHEL 7 and RHEL 8 clients are related to authconfig vs authselect (RHEL7 clients use authconfig while RHEL8 clients use authselect).
For instance on a RHEL 7 client the generated script runs the following command:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall

While on a RHEL8 client the generated script runs the following command:
authselect enable-feature with-smartcard
+ modifies /etc/sssd/sssd.conf to add "pam_cert_auth = True" in the [pam] section.

The generated script could be enhanced to detect whether authselect is available and call the right code.

Comment 3 Florence Blanc-Renaud 2019-11-05 15:57:58 UTC
Upstream ticket:

Comment 4 Florence Blanc-Renaud 2019-11-08 11:59:21 UTC
Fixed upstream

Comment 6 Florence Blanc-Renaud 2020-01-28 09:53:50 UTC
RHEL-7.8 is already near the end of a Development Phase and development is being wrapped up. This bug is being moved to RHEL 7.9.
If you believe this particular bug should be reconsidered for 7.8, please let us know.

Comment 8 Florence Blanc-Renaud 2020-03-19 07:37:16 UTC
Hi Rizwan,
yes, your steps from #c7 are correct. Without the fix, the bash script would exit on error with return code = 1 and print "Failed to configure Smart Card authentication in SSSD". With the fix the bash script exits with return code = 0 and does not print the error message.

Comment 9 Mohammad Rizwan 2020-03-19 10:01:09 UTC
old version:
ipa-server-4.6.6-11.el7.x86_64 (rhel7.8)
ipa-client-4.8.4-6.module+el8.2.0+5774+71f22ff9.x86_64 (rhel8.2)

1. Install rhel7.8 server and configure to use smartcard
2. Install rhel8.2 client against rhel7.8 server and configure to use smartcard
3. Run the client script generated at server on client.

Actual result:
[root@master ~]# ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
[root@master ~]# scp config-server-for-smart-card-auth.sh root@client.testrelm.test:/root/

[root@master ~]# ipa-advise config-client-for-smart-card-auth > config-client-for-smart-card-auth.sh
[root@master ~]# scp config-client-for-smart-card-auth.sh root@client.testrelm.test:/root/

[root@master ~]# scp /etc/ipa/ca.crt root@client.testrelm.test:/root/


[root@client ~]# chmod +x  config-client-for-smart-card-auth.sh 
[root@client ~]# ./config-client-for-smart-card-auth.sh ca.crt
Traceback (most recent call last):
  File "/usr/sbin/authconfig", line 656, in <module>
  File "/usr/sbin/authconfig", line 645, in main
  File "/usr/sbin/authconfig", line 562, in runAuthselect
ValueError: list.remove(x): x not in list
Failed to configure Smart Card authentication in SSSD

Comment 13 Mohammad Rizwan 2020-04-06 10:56:28 UTC
Automation passed. Logs are attached.

Note You need to log in before you can comment on or make changes to this bug.