ipaclient_setup_nss fails on Ubuntu/Debian

Question

ipaclient_setup_nss fails on Ubuntu/Debian

imp1sh opened this issue a year ago · comments

I roll out FreeIPA as a client and during that I also use freeipa.ansible_freeipa.ipaclient_setup_nss.

Sadly the process is stuck as the changes seem to result in the OS is in interactive mode and requesting an input:

See my processes, when it's stuck:

root       47387   41700  0 13:27 pts/0    00:00:00       /bin/sh -c /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1693999621.2573123-3214333-199842260532899/AnsiballZ_ipaclient_setup_nss.py && sleep 0
root       47388   47387  0 13:27 pts/0    00:00:01         /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1693999621.2573123-3214333-199842260532899/AnsiballZ_ipaclient_setup_nss.py
root       48151   47388  0 13:27 pts/0    00:00:00           /usr/bin/perl -w /usr/share/debconf/frontend /sbin/pam-auth-update --package --enable mkhomedir
root       48157   48151  0 13:27 pts/0    00:00:00             /usr/bin/perl -w /sbin/pam-auth-update --package --enable mkhomedir
root       48159   48151  0 13:27 pts/0    00:00:00             whiptail --backtitle Package configuration --title PAM configuration --output-fd 11 --defaultno --yesno -- One or more of the files  /etc/pam.d/common-{auth,account,password,session} have been locally  modified.  Please indicate whether these local changes should be  overridden using the system-provided configuration.  If you decline this option, you will need to manage your system's authentication  configuration by hand.  Override local changes to /etc/pam.d/common-*? 14 77

I'm on 1.11.1
The problematic OSes is Ubuntu 20.04 and Debian 12
On CentOS 7 the problem does not occur.

junicast · Answer 1 · Wed Sep 06 2023 19:58:32 GMT+0800 (China Standard Time)

Just in case anyone else suffers this problem. As a workaround just kill the whiptail process on the target system.

Rafael Guterres Jeffman · Answer 2 · Wed Sep 06 2023 20:58:31 GMT+0800 (China Standard Time)

What do you mean by "I also use freeipa.ansible_freeipa.ipaclient_setup_nss."?

The roles internal modules are not meant to be used independently of the roles.

junicast · Answer 3 · Wed Sep 06 2023 22:35:20 GMT+0800 (China Standard Time)

Well that was certainly a bad way to describe it.
To be clear:
I use the role ipaclient from the collection. One task of this role is called Install - Create IPA NSS database and that makes use of freeipa.ansible_freeipa.ipaclient_setup_nss.

Rafael Guterres Jeffman · Answer 4 · Wed Sep 06 2023 22:49:42 GMT+0800 (China Standard Time)

That make things more clear. :-)

I don't remember testing under Debian 12, but Ubuntu 20.04 used to work.

The failure ocurs when we do a call to a FreeIPA function, so the same issue should also occur, on this node, if the installation was performed through the CLI.

Note that the question is about a file that is locally modified, so I'm not sure if some installed tool is monitoring the file or not.

As far as I can see (without rebuilding my Debian/Ubuntu environments) is that this is a change either in the distro packaging or package tools, or on the node configuration. Either way it does not seem we can do much on ansible-freeipa side.

junicast · Answer 5 · Wed Sep 06 2023 22:51:12 GMT+0800 (China Standard Time)

Thank you. I will dig around some more and give feedback.