I've recently tried to run an upgrade of my IPA server (4.10.2) because of some CVE fix for 4.10.3. At the end of upgrade the IPA server tries to run: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'], why does it do this?
The upgrade in my case fails because I've set made following files immutable: /etc/authselect/{password-auth,system-auth}.
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
I've recently tried to run an upgrade of my IPA server (4.10.2) because of some CVE fix for 4.10.3. At the end of upgrade the IPA server tries to run: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'], why does it do this?
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
The upgrade in my case fails because I've set made following files immutable: /etc/authselect/{password-auth,system-auth}.
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
I don't fully understand why it doesn't check which OS version it is running and based on that update the migrated_to_authselect value. Currently on 9.3, and we run authselect as mentioned with custom profile.
I also seemed to have misunderstood the Upgrade steps from https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would upgrade my IPA version to the latest.
Anyways, cheers Alexander.
Finn Fysj via FreeIPA-users wrote:
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
I don't fully understand why it doesn't check which OS version it is running and based on that update the migrated_to_authselect value. Currently on 9.3, and we run authselect as mentioned with custom profile.
If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects.
I also seemed to have misunderstood the Upgrade steps from https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would upgrade my IPA version to the latest.
I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process.
rob
Finn Fysj via FreeIPA-users wrote:
If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects.
I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process.
rob
1. Checking for 9.3 would know that the system is using authselect. 2. IPA could only check if the custom profile fulfill the requirements, which is sssd and sudo feature enabled.
I understand that IPA is very opinionated about config specs, but some need to follow security benchmarks.
On Чцв, 11 сту 2024, Finn Fysj via FreeIPA-users wrote:
Finn Fysj via FreeIPA-users wrote:
If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects.
I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process.
rob
- Checking for 9.3 would know that the system is using authselect.
- IPA could only check if the custom profile fulfill the requirements, which is sssd and sudo feature enabled.
I understand that IPA is very opinionated about config specs, but some need to follow security benchmarks.
You can always help upstream by submitting a PR that implements what you propose.
Since authselect supports introspection, of some kind, that could theoretically be used to look at whether base of the profile is compatible with what we expect.
I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process.
Since it's recommended to run "yum update [free]ipa-server", why does the "FreeIPA 4.2.0 or newer" section even exists as an options?
(I'm sorry to be such a 'pita'.)
On Чцв, 11 сту 2024, Finn Fysj via FreeIPA-users wrote:
I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process.
Since it's recommended to run "yum update [free]ipa-server", why does the "FreeIPA 4.2.0 or newer" section even exists as an options?
(I'm sorry to be such a 'pita'.)
The pages at freeipa.org were written in early project days, more or less. Design pages weren't updated since implementation was done or documentation was added to RHEL IdM documentation.
For few past years design pages get added to IPA source code directly and can be seen at https://freeipa.readthedocs.io. This does not apply to old pages in Mediawiki we used to use for freeipa.org website.
You can submit an update through https://github.com/freeipa/freeipa.github.io as we migrated to github site from mediawiki some time last year.
Primary documentation for the project is maintained as RHEL IdM documentation, split between multiple RHEL releases:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9
You need to choose 'Identity management' category in the 'Category' checkboxes. This way the books will be filtered to show only RHEL IdM documentation.
The documentation there is a living creature, some parts of 'old' RHEL 7 documentation aren't ported to RHEL 8 and RHEL 9 because a concept to how documentation would be presented is different. Most of RHEL 7 docs related to IPA management still apply, of course.
For example, update documentation for RHEL 9 version is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
We have this mentioned partially on https://www.freeipa.org/page/Documentation.html
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
Is it possible to prevent authselect configuration while installing FreeIPA server?
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
Is it possible to have `migrated_to_authselect = True` for backup restore also? I come to realize that FreeIPA will modify authselect configuration during: 1. Install 2. Upgrade 3. Restore
Finn Fysj via FreeIPA-users wrote:
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
It should tell you what upgrade step is that prior to running the command.
I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg] migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
Is it possible to have `migrated_to_authselect = True` for backup restore also? I come to realize that FreeIPA will modify authselect configuration during:
- Install
- Upgrade
- Restore
Need more details. What is being overwritten and why do you think it's related to this update state?
rob
freeipa-users@lists.fedorahosted.org