Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2069899 - anaconda enablement of fingerprint auth overrides existing authselect configuration
Summary: anaconda enablement of fingerprint auth overrides existing authselect configu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Vendula Poncova
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F36FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2022-03-30 01:47 UTC by Adam Williamson
Modified: 2022-05-03 14:44 UTC (History)
8 users (show)

Fixed In Version: anaconda-36.16.4-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-05 14:21:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2022-03-30 01:47:48 UTC
If anaconda decides to enable fingerprint authentication during installation, it uses `authselect select`, not `authselect enable`. This overwrites the entire config, overriding existing choices.

A specific problem here is that if `nss-mdns` is in the installed package set, during the package install transaction, its %posttrans runs `authselect enable-feature with-mdns4` to enable mdns lookups. But if anaconda then decides to enable fingerprint authentication, it runs `authselect select sssd with-fingerprint with-silent-lastlog --force`, which turns mdns lookups off again. See discussion in https://bugzilla.redhat.com/show_bug.cgi?id=2056927 .

It looks to me like this is kind of a hangover from a time when we expected anaconda to always run authconfig/authselect and set a default config, but it no longer does that; AFAICT, the 'expected' setting of the default config happens in the %posttrans of authselect-libs:

# If we are upgrading from pre authselect-1.3.0 or this is a new installation
# select the default configuration.
if [ -f /var/lib/rpm-state/authselect.force ]; then
    /usr/bin/authselect select sssd with-silent-lastlog --force $NOBACKUP &> /dev/null
    /usr/bin/rm -f /var/lib/rpm-state/authselect.force
fi

(there's earlier logic which creates `/var/lib/rpm-state/authselect.force` if this is a frehs install). anaconda these days is overall designed to not necessarily run authselect at all (only if the kickstart specifies it)...but if it decides to enable fingerprint authentication, it does this.

So I think it may be OK to change anaconda to do `authselect enable-feature with-fingerprint` instead, which should I think preserve any existing config set by authselect and nss-mdns during the package install transaction...

Comment 1 Adam Williamson 2022-03-30 01:49:01 UTC
Proposing as a Final blocker for the same reason as 2056927: if this isn't fixed, fresh Rawhide installs won't be able to use mdns features, including printer discovery. "Printing must work in release-blocking desktops on at least one printer using each of the following drivers: ... The generic IPP driver".

Comment 2 Vendula Poncova 2022-03-30 13:14:55 UTC
Fixed at: https://github.com/rhinstaller/anaconda/pull/3991

Comment 3 Adam Williamson 2022-03-30 22:08:07 UTC
+3 in https://pagure.io/fedora-qa/blocker-review/issue/697 , marking accepted.

Comment 4 Fedora Update System 2022-03-31 18:34:00 UTC
FEDORA-2022-8538fa94da has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8538fa94da

Comment 5 Fedora Update System 2022-04-01 23:23:09 UTC
FEDORA-2022-8538fa94da has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8538fa94da`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8538fa94da

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2022-04-05 00:16:29 UTC
FEDORA-2022-8538fa94da has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Kamil Páral 2022-04-05 07:04:55 UTC
This needs verification with a new compose.

Comment 8 Kamil Páral 2022-04-05 13:18:46 UTC
Tested with Fedora-Everything-netinst-x86_64-36-20220405.n.0.iso and the issue is fixed. But I'll wait until Workstation Live is available, so that I can test it too, just to make sure.

Comment 9 Kamil Páral 2022-04-05 14:21:59 UTC
Verified fixed even with Fedora-Workstation-Live-x86_64-36-20220405.n.0.iso


Note You need to log in before you can comment on or make changes to this bug.