ipaclient_setup_nss fails on Ubuntu/Debian
imp1sh opened this issue · comments
I roll out FreeIPA as a client and during that I also use freeipa.ansible_freeipa.ipaclient_setup_nss.
Sadly the process is stuck as the changes seem to result in the OS is in interactive mode and requesting an input:
See my processes, when it's stuck:
root 47387 41700 0 13:27 pts/0 00:00:00 /bin/sh -c /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1693999621.2573123-3214333-199842260532899/AnsiballZ_ipaclient_setup_nss.py && sleep 0
root 47388 47387 0 13:27 pts/0 00:00:01 /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1693999621.2573123-3214333-199842260532899/AnsiballZ_ipaclient_setup_nss.py
root 48151 47388 0 13:27 pts/0 00:00:00 /usr/bin/perl -w /usr/share/debconf/frontend /sbin/pam-auth-update --package --enable mkhomedir
root 48157 48151 0 13:27 pts/0 00:00:00 /usr/bin/perl -w /sbin/pam-auth-update --package --enable mkhomedir
root 48159 48151 0 13:27 pts/0 00:00:00 whiptail --backtitle Package configuration --title PAM configuration --output-fd 11 --defaultno --yesno -- One or more of the files /etc/pam.d/common-{auth,account,password,session} have been locally modified. Please indicate whether these local changes should be overridden using the system-provided configuration. If you decline this option, you will need to manage your system's authentication configuration by hand. Override local changes to /etc/pam.d/common-*? 14 77
I'm on 1.11.1
The problematic OSes is Ubuntu 20.04 and Debian 12
On CentOS 7 the problem does not occur.
Just in case anyone else suffers this problem. As a workaround just kill the whiptail process on the target system.
What do you mean by "I also use freeipa.ansible_freeipa.ipaclient_setup_nss.
"?
The roles internal modules are not meant to be used independently of the roles.
Well that was certainly a bad way to describe it.
To be clear:
I use the role ipaclient
from the collection. One task of this role is called Install - Create IPA NSS database
and that makes use of freeipa.ansible_freeipa.ipaclient_setup_nss
.
That make things more clear. :-)
I don't remember testing under Debian 12, but Ubuntu 20.04 used to work.
The failure ocurs when we do a call to a FreeIPA function, so the same issue should also occur, on this node, if the installation was performed through the CLI.
Note that the question is about a file that is locally modified, so I'm not sure if some installed tool is monitoring the file or not.
As far as I can see (without rebuilding my Debian/Ubuntu environments) is that this is a change either in the distro packaging or package tools, or on the node configuration. Either way it does not seem we can do much on ansible-freeipa side.
Thank you. I will dig around some more and give feedback.