On to, 31 joulu 2020, Dominik Vogt via FreeIPA-users wrote:
A machine has just been installed with a minimal RHEL8.1 distro.
Note that in /etc/login.defs there is the line
Installing the server from a shell works fine:
$ ipa-server-install <options>
However, installing the server through Ansible (2.9.6) from
another host does *not* work.
Snippet from the Ansible script:
- name: Install ipa-server
/usr/bin/umask 022 && /usr/bin/ipa-server-install <options>
The installer complains about the umask being 0077 and that it
should be 0022. Removing the UMASK line from login.defs fixes the
immediate problem. There is really no Ansible configuration
1) Is there a good way to fix this without opening up system umask?
2) If I comment out the UMASK line from login.defs for the
installation and reactivate it afterwards, will that cause
(I think this is about access rights to the certificates of the
Update to RHEL 8.3. You can 'fix' ssh sessions behavior by changing how
post login it is handled by pam_umask in PAM stack for sshd. But that's
only half story.
Bug on UMASK difference for sshd-initiated sessions was raised as
. Its fix, in turn,
has caused a more severe bug in FreeIPA environments due to
a misunderstanding on how oddjob's mkhomedir PAM module works:
. I had to make
that bug a blocker for RHEL 8.3.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland