[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
Finn Fysj via FreeIPA-users wrote: >> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: >> >> It should tell you what upgrade step is that prior to running the >> command. >> >> I think this is about migration to authselect. Upgrade code considers >> whether migration from authconfig is needed and if we didn't record that >> migration already happened, we perform it. The default configuration is >> 'authselect select sssd with-sudo --force'. >> >> You can avoid re-running this upgrade part by adding a section >> >> [authcfg] >> migrated_to_authselect = True >> >> to /var/lib/ipa/sysupgrade/sysupgrade.state >> >> and rerunning the upgrade. > Is it possible to have `migrated_to_authselect = True` for backup restore > also? > I come to realize that FreeIPA will modify authselect configuration during: > 1. Install > 2. Upgrade > 3. Restore Need more details. What is being overwritten and why do you think it's related to this update state? rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. Is it possible to have `migrated_to_authselect = True` for backup restore also? I come to realize that FreeIPA will modify authselect configuration during: 1. Install 2. Upgrade 3. Restore -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
On Чцв, 11 сту 2024, Finn Fysj via FreeIPA-users wrote: I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process. Since it's recommended to run "yum update [free]ipa-server", why does the "FreeIPA 4.2.0 or newer" section even exists as an options? (I'm sorry to be such a 'pita'.) The pages at freeipa.org were written in early project days, more or less. Design pages weren't updated since implementation was done or documentation was added to RHEL IdM documentation. For few past years design pages get added to IPA source code directly and can be seen at https://freeipa.readthedocs.io. This does not apply to old pages in Mediawiki we used to use for freeipa.org website. You can submit an update through https://github.com/freeipa/freeipa.github.io as we migrated to github site from mediawiki some time last year. Primary documentation for the project is maintained as RHEL IdM documentation, split between multiple RHEL releases: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9 You need to choose 'Identity management' category in the 'Category' checkboxes. This way the books will be filtered to show only RHEL IdM documentation. The documentation there is a living creature, some parts of 'old' RHEL 7 documentation aren't ported to RHEL 8 and RHEL 9 because a concept to how documentation would be presented is different. Most of RHEL 7 docs related to IPA management still apply, of course. For example, update documentation for RHEL 9 version is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/update-downgrade-ipa_installing-identity-management We have this mentioned partially on https://www.freeipa.org/page/Documentation.html -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
On Чцв, 11 сту 2024, Finn Fysj via FreeIPA-users wrote: Finn Fysj via FreeIPA-users wrote: If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects. I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process. rob 1. Checking for 9.3 would know that the system is using authselect. 2. IPA could only check if the custom profile fulfill the requirements, which is sssd and sudo feature enabled. I understand that IPA is very opinionated about config specs, but some need to follow security benchmarks. You can always help upstream by submitting a PR that implements what you propose. Since authselect supports introspection, of some kind, that could theoretically be used to look at whether base of the profile is compatible with what we expect. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> I can see how you were confused but it's covered in "FreeIPA 3.3.0 or > newer" where you run yum update [free]ipa-server. We recommend updating > all packages and not just IPA. ipa-server-upgrade runs as part of the > package install process. Since it's recommended to run "yum update [free]ipa-server", why does the "FreeIPA 4.2.0 or newer" section even exists as an options? (I'm sorry to be such a 'pita'.) -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> Finn Fysj via FreeIPA-users wrote: > > If you have a custom profile then what would checking for 9.3 help? And > note, we don't recommend or support custom profiles. IPA is very > opinionated about the configuration it expects. > > > I can see how you were confused but it's covered in "FreeIPA 3.3.0 or > newer" where you run yum update [free]ipa-server. We recommend updating > all packages and not just IPA. ipa-server-upgrade runs as part of the > package install process. > > rob 1. Checking for 9.3 would know that the system is using authselect. 2. IPA could only check if the custom profile fulfill the requirements, which is sssd and sudo feature enabled. I understand that IPA is very opinionated about config specs, but some need to follow security benchmarks. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
Finn Fysj via FreeIPA-users wrote: >> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: >> >> It should tell you what upgrade step is that prior to running the >> command. >> >> I think this is about migration to authselect. Upgrade code considers >> whether migration from authconfig is needed and if we didn't record that >> migration already happened, we perform it. The default configuration is >> 'authselect select sssd with-sudo --force'. >> >> You can avoid re-running this upgrade part by adding a section >> >> [authcfg] >> migrated_to_authselect = True >> >> to /var/lib/ipa/sysupgrade/sysupgrade.state >> >> and rerunning the upgrade. > I don't fully understand why it doesn't check which OS version it is running > and based on that update the migrated_to_authselect value. > Currently on 9.3, and we run authselect as mentioned with custom profile. If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects. > I also seemed to have misunderstood the Upgrade steps from > https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would > upgrade my IPA version to the latest. I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process. rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. Is it possible to prevent authselect configuration while installing FreeIPA server? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. I don't fully understand why it doesn't check which OS version it is running and based on that update the migrated_to_authselect value. Currently on 9.3, and we run authselect as mentioned with custom profile. I also seemed to have misunderstood the Upgrade steps from https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would upgrade my IPA version to the latest. Anyways, cheers Alexander. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote:
I've recently tried to run an upgrade of my IPA server (4.10.2) because
of some CVE fix for 4.10.3. At the end of upgrade the IPA server tries
to run: CalledProcessError(Command ['/usr/bin/authselect', 'select',
'sssd', 'with-sudo', '--force'], why does it do this?
It should tell you what upgrade step is that prior to running the
command.
I think this is about migration to authselect. Upgrade code considers
whether migration from authconfig is needed and if we didn't record that
migration already happened, we perform it. The default configuration is
'authselect select sssd with-sudo --force'.
You can avoid re-running this upgrade part by adding a section
[authcfg]
migrated_to_authselect = True
to /var/lib/ipa/sysupgrade/sysupgrade.state
and rerunning the upgrade.
The upgrade in my case fails because I've set made following files immutable:
/etc/authselect/{password-auth,system-auth}.
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
