Description of problem: No authselect profile is selected on "Minimal Install" causing authselect to fail on first run. In contrast, if "Server" is installed, "sssd" is selected by default. ==================== "Minimal Install" ===== # ls -al /etc/authselect/ total 16 drwxr-xr-x. 3 root root 46 Apr 28 11:24 . drwxr-xr-x. 78 root root 8192 Apr 28 11:37 .. drwxr-xr-x. 2 root root 6 Dec 6 21:13 custom -rw-r--r--. 1 root root 2124 Apr 28 11:24 user-nsswitch.conf ===== # authselect select minimal [error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten! [error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten! [error] File [/etc/nsswitch.conf] exists but it needs to be overwritten! [error] File that needs to be overwritten was found [error] Refusing to activate profile unless this file is removed or overwrite is requested. Some unexpected changes to the configuration were detected. Use --force parameter if you want to overwrite these changes. ===== # cat anaconda-ks.cfg # Generated by Anaconda 34.25.2.9 # Generated by pykickstart v3.32 #version=RHEL9 # Use graphical install graphical %addon com_redhat_kdump --enable --reserve-mb='auto' %end # Keyboard layouts keyboard --xlayouts='au' # System language lang en_AU.UTF-8 %packages @^minimal-environment %end # Run the Setup Agent on first boot firstboot --enable # Generated using Blivet version 3.6.0 ignoredisk --only-use=vda autopart # Partition clearing information clearpart --none --initlabel # System timezone timezone Australia/Brisbane --utc # Root password rootpw --iscrypted --allow-ssh <...> =================== "Server" ===== # ls -al /etc/authselect/ total 56 drwxr-xr-x. 3 root root 4096 Apr 28 11:51 . drwxr-xr-x. 105 root root 8192 Apr 28 11:54 .. -rw-r--r--. 1 root root 42 Apr 28 11:51 authselect.conf drwxr-xr-x. 2 root root 6 Dec 6 21:13 custom -rw-r--r--. 1 root root 230 Apr 28 11:51 dconf-db -rw-r--r--. 1 root root 260 Apr 28 11:51 dconf-locks -rw-r--r--. 1 root root 1201 Apr 28 11:51 fingerprint-auth -rw-r--r--. 1 root root 2980 Apr 28 11:51 nsswitch.conf -rw-r--r--. 1 root root 1887 Apr 28 11:51 password-auth -rw-r--r--. 1 root root 393 Apr 28 11:51 postlogin -rw-r--r--. 1 root root 140 Apr 28 11:51 smartcard-auth -rw-r--r--. 1 root root 1959 Apr 28 11:51 system-auth -rw-r--r--. 1 root root 2124 Apr 28 11:49 user-nsswitch.conf ===== # authselect current Profile ID: sssd Enabled features: - with-fingerprint - with-silent-lastlog ===== # cat /root/anaconda-ks.cfg # Generated by Anaconda 34.25.2.9 # Generated by pykickstart v3.32 #version=RHEL9 # Use graphical install graphical %addon com_redhat_kdump --enable --reserve-mb='auto' %end # Keyboard layouts keyboard --xlayouts='au' # System language lang en_AU.UTF-8 %packages @^server-product-environment %end # Run the Setup Agent on first boot firstboot --enable # Generated using Blivet version 3.6.0 ignoredisk --only-use=vda autopart # Partition clearing information clearpart --none --initlabel # System timezone timezone Australia/Brisbane --utc # Root password rootpw --iscrypted --allow-ssh <...> Version-Release number of selected component (if applicable): RHEL 9.1 How reproducible: 100% Actual results: When running "authselect select <profile> for the first time after RHEL 9 is installed, authselect complains unexpected changes. Expected results: authselect should not complain unexpected content with "Minimal Install". Additional info:
Hi Sunny, IIRC if kickstart is provided Anaconda does not call authselect. So I believe that authselect call should be part of this kickstart. Authselect does not execute itself after installation on RHEL8/9 (it happens on F36+ https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory). Anaconda is responsible for calling it.
I moved this to Anaconda for confirmation, but I don't know if the kickstart itself is part of anaconda component or some other.
Hi Pavel, I looked to the code and it seems we are enabling fingerprint with the automatic installation by default: https://github.com/rhinstaller/anaconda/blob/6f34f4c2d7afaf0b597af6d77d56068895283d34/pyanaconda/modules/security/installation.py#L441 However, we tested this with interactive installation and the issue is there too but no call of authselect is done by Anaconda (nothing in the logs). So it seems that this issue is specific to the installation of packages. Problematic packaging (scriptlet) or missing dependency on minimal-environment. This issue seems to not be related to Anaconda, switching component back. Feel free to contact us to debug this issue.
Hi Jiří, can you please check rhel9 branch? The behavior has changed in Fedora 36 (authselect rpm scriptlet takes care of it, thus you only call enable-feature for fingerprint), but anaconda is responsible for enabling authselect for rhel8 and rhel9. https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L421 https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L382 If I remember it correctly, this only happens if not kickstart is provided. If kickstart is given, it should contain `%authselect select ...` call. Is this correct?
You are correct that I unfortunately put here incorrect branch link. However, seems to be the same it should not be executed. So in more detail. Fingerprint is enabled only for interactive installations: https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/startup_utils.py#L582 - here is the check https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L187 - stored into the variable of module https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L309 - propagated to the installation task https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L406 - and here it will skip the authselect call So the fingerprint shouldn't be used in this call in any case. For the user configuration: https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L79 - here we look for the kickstart data configuration (these are empty because authselect command is not part of the kickstart) https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/security.py#L313 - here the processed KS data are passed to the installation task https://github.com/rhinstaller/anaconda/blob/rhel-9/pyanaconda/modules/security/installation.py#L440 - here we have check to not run authselect command in case it's empty As you can check it should not be executed on RHEL-9. Also if it would be executed we should have it in the logs. Another reason why it's probably not in Anaconda is that it's happening based on the package selection - Anaconda does not changing logic based on the package selection. Hope this debugging helped you.
Well, this is unsatisfying. I always lived with an impression that the behavior is: ``` if fingerprint: authselect select sssd with-fingerprint with-silent-lastlog --force else if no fingerprint and no kickstart authselect select sssd with-silent-lastlog --force if kickstart authselect $kickstartcommand ``` From authselect perspective, there is nothing we can do, because anaconda installs it. This is a bug in Anaconda and ideally the logic should be fixed in RHEL-8 and RHEL-9, but I'm not sure we should do it as it would change customers new installations. Before we decide, how gets sssd profile selected for server variant? Only anaconda or kickstart can do it.
Ping
Hi, the fingerprint configuration actually depends on the installed packages, because we are looking for the pam_fprintd.so library to confirm that this configuration is supported [0]. From syslog of the minimal installation: 15:44:24,223 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureSELinuxTask-1 (139939652093504) 15:44:25,231 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Running Thread: AnaTaskThread-ConfigureFingerprintAuthTask-1 (139939652093504) 15:44:25,234 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Fingerprint conifguration is not supported on target system. 15:44:25,235 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureFingerprintAuthTask-1 (139939652093504) From syslog of the server installation: 15:53:59,108 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Running Thread: AnaTaskThread-ConfigureFingerprintAuthTask-1 (140283804624448) 15:53:59,111 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Enabling fingerprint authentication. 15:53:59,111 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:anaconda.modules.security.installation:Configuring authentication: /usr/bin/authselect ['select', 'sssd', 'with-fingerprint', 'with-silent-lastlog', '--force'] 15:53:59,112 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Running in chroot '/mnt/sysroot'... /usr/bin/authselect select sssd with-fingerprint with-silent-lastlog --force 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Backup stored at /var/lib/authselect/backups/2023-07-31-15-53-59.ScNsRd 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Profile "sssd" was selected. 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:The following nsswitch maps are overwritten by the profile: 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- passwd 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- group 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- netgroup 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- automount 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- services 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program: 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program: 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program:- with-fingerprint is selected, make sure fprintd service is configured and enabled 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:program: 15:53:59,264 WARNING org.fedoraproject.Anaconda.Modules.Security:DEBUG:program:Return code: 0 15:53:59,265 WARNING org.fedoraproject.Anaconda.Modules.Security:INFO:anaconda.threading:Thread Done: AnaTaskThread-ConfigureFingerprintAuthTask-1 (140283804624448) As you can see from the first log, we are not able to find the pam_fprintd.so library on the minimal installation, so we don't run authselect at all. There is no fallback [1] and I don't remember ever having such a fallback. It looks like the pam_fprintd.so library is provided by the fprintd-pam package, which is part of the Standard group [2], but that it not a mandatory group of the Minimal Install environment [3]. Therefore this package is not installed by default on minimal installations. [0] https://github.com/rhinstaller/anaconda/blob/f8748fbc16110ce786ce4da8452684358ce67deb/pyanaconda/modules/security/installation.py#L401-L403 [1] https://github.com/rhinstaller/anaconda/blob/f8748fbc16110ce786ce4da8452684358ce67deb/pyanaconda/modules/security/installation.py#L410 [2] https://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/AppStream/x86_64/os/repodata/51e7d7dcd7b00e04e65241cade4f8dc43ed8c80874b2becc1e8110350a5a7501-comps-AppStream.x86_64.xml [3] https://download.eng.brq.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/compose/BaseOS/x86_64/os/repodata/93b5f987d53813e6054458afa107388c54b50546d22add098de24289df278266-comps-BaseOS.x86_64.xml
Thank you for clarification. I always lived in the impression that authselect is always called, Anaconda just enables the fingerprint support if needed. Was this always like this in Fedora as well? Anyway, Fedora is resolved now since using authselect is mandatory and it does no longer depend on Anaconda. In RHEL, leapp actors automatically converts system to authselect during upgrade from rhel7 and it is enabled on Server (and Workstation?) automatically so only minimal version is affected. I propose to switch it to relevant component and let them decide if authselect should be included in kickstart or not. What component is responsible for creating the minimal installation?
Hi Josh/Adam, Can you point us in the right direction? We are looking for this information for a while. Kindly
(In reply to Andre Boscatto from comment #10) > Hi Josh/Adam, > > Can you point us in the right direction? We are looking for this information > for a while. > > Kindly There is no bugzilla component for individual installation types. The "distribution" component is the closest you'll get. That said, it's called the minimal install for a reason. We are unlikely to change it without some very critical rationale.
(I believe Josh has provided the info needed.)