Bug 1200964

Summary: autoyast auth-client for AD does not install required packages
Product: [openSUSE] openSUSE Distribution Reporter: Jens Mozdzen <jens.mozdzen>
Component: SambaAssignee: Samuel Cabrero <scabrero>
Status: RESOLVED FIXED QA Contact: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Severity: Normal    
Priority: P5 - None CC: meissner, samba-maintainers, scabrero
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Leap 15.4   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jens Mozdzen 2022-06-27 12:04:03 UTC 
Auto-Installation OpenSUSE Leap 15.4 via SUSE Manager 4.2

The AutoYaST profile contains a section <auth-client>, with a JSON created via "yast autoyast" on a Leap 15.4 system.

During autoyast stage2, we receive an error that joining the domain failed. 

Short version: The installed environment misses the packages sssd, sssd-ad, sssd-common and samba-libs. Adding these in the <packages> list lets the installation complete, with automatically joining AD.

It is unclear why the missing modules are not automatically installed by the auth-client YaST module during autoyast installation, while a later manual invocation of the YaST auth-client module will do just that. 

Verbose version:

- after completing the "failing" autoyast, calling "yast auth-client" shows proper values, but only local authentication. Switching to the configuration dialog, the "permit domain login" checkbox isn't checked and no domain is configured. When manually adding the domain, a lot of packages are installed and domain logins work. Checking the logs, at least sssd, sssd-ad and sssd-common are installed by that yast invocation.

- adding these three packages to the autoyast profile, again an error is displayed for AD join (but without any reported error output of the called command). When switching to a local console on the installing system and trying the according "net ads join", a lengthy error/backtrace is displayed, referencing a missing tdb-sam module.

- that missing samba module (/usr/lib64/samba/pdb/tbdsam.so) is part of samba-libs, after adding also that RPM to the packages list and re-installing the client, no more errors occurred and the client system automatically joined the AD domain.
Comment 1 Jens Mozdzen 2022-07-09 23:17:59 UTC 
Other related problems we're facing in this context (pls let me know if we're to open new tickets for these):

a - The account password used to join the domain is stored in the AutoYaST XML file. I understand what it's for, but when using AutoYaST in combination with Cobbler (-> SUSE Manager), basically anyone can retrieve clear-text autoyast profiles from the installation server without the need for any authentication. So storing clear-text (or decryptable) passwords in the XML is a no-go.

Currently, "net ads join" offers the "-k" parameter to use a Kerberos ticket instead of "admin credentials". The option is reported as "deprecated" by the "net" command, but would allow for the following data flow:

  - Kerberos ticket (with limited life-time) is created on i.e. the deployment server and put into auth-client's JSON

  - auth-client make local use of that ticket on the installed machine and calls "net ads join -k" instead of passing admin account credentials

b - auth-client does not expose "net ads join"'s parameter to set the machine name" differently from the current host name ("dnshostname=<FQDN>"). It would be appreciated by our customer if this could be set independently of the machine's host name...

c - calling "yast2 ayast_setup ..." from command line of client works, but using the same command via Salt ("cmd.run") does not join the client, but rather fails with "Must be connected to a terminal."

We're working on automatically installing/joining thousands of new clients (openSUSE Leap 15.4 during testing / later probably SLED 15 SP4) via SUSE Manager and AutoYaST, and security considerations will not allow for the "service account" (used to join new clients) to be included in clear text in the AutoYaST file.

So we tried switching to using Salt to join the clients during initial high state, but would prefer to avoid to re-create the specific auth-client workflow in a new Salt state.

Using Kerberos tickets in XML instead of credentials would allow to autoyast-install the clients, and using yast2 ayast_setup (with non-persistent account data, solved via Salt mechanisms) could at least be called without exposing the creds to the world. The latter requires using tricks to simulate a terminal, because "yast2 ayast_setup" is appearingly still working "user-oriented", in that it displays the progress output full-screen and even in color. This should be avoidable, to enable automated use of the modules.
Comment 4 Jens Mozdzen 2022-07-12 19:54:30 UTC 
With regards to comment #1 item C ("yast2 ayast_setup" depending on having a terminal at hand), is that something I should move to a spin-off ticket?
Comment 5 Samuel Cabrero 2022-07-13 10:50:23 UTC 
(In reply to Jens Mozdzen from comment #4)
> With regards to comment #1 item C ("yast2 ayast_setup" depending on having a
> terminal at hand), is that something I should move to a spin-off ticket?

Yes please, it looks like an autoyast issue. IIUC the problem, if autoyast can't be fixed to work without a terminal, the alternative is to implement the CLI interface in auth-client right?
Comment 10 Swamp Workflow Management 2022-07-29 13:16:55 UTC 
SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.1 (src):    ldb-2.4.3-150300.3.20.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-07-29 13:19:59 UTC 
SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Samuel Cabrero 2022-08-01 07:21:08 UTC 
(In reply to Samuel Cabrero from comment #5)
> (In reply to Jens Mozdzen from comment #4)
> > With regards to comment #1 item C ("yast2 ayast_setup" depending on having a
> > terminal at hand), is that something I should move to a spin-off ticket?
> 
> Yes please, it looks like an autoyast issue. IIUC the problem, if autoyast
> can't be fixed to work without a terminal, the alternative is to implement
> the CLI interface in auth-client right?

Hi Jens, the packages installation issue is fixed. Please open a new bug for the remaining issues if necessary.
Comment 13 Jens Mozdzen 2022-08-01 12:56:50 UTC 
Just for reference, the separate bug was already opened as

https://bugzilla.suse.com/show_bug.cgi?id=1201512
Comment 16 Swamp Workflow Management 2022-08-03 22:18:04 UTC 
SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.8+git.500.d5910280cc7-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-09-01 15:09:11 UTC 
SUSE-SU-2022:2586-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-09-19 10:25:06 UTC 
SUSE-RU-2022:3299-1: An update that has 26 recommended fixes and contains one feature can now be installed.

Category: recommended (important)
Bug References: 1195059,1195608,1195894,1196674,1198076,1198848,1199451,1199480,1199554,1199621,1199746,1200155,1200274,1200780,1200803,1200964,1201129,1201185,1201532,1201747,1201924,1201966,1202228,1202479,1202892,1202919
CVE References: 
JIRA References: SLE-22069
Sources used:
openSUSE Leap 15.4 (src):    autoyast2-4.4.39-150400.3.8.1, yast2-4.4.52-150400.3.8.1, yast2-auth-client-4.4.4-150400.3.7.1, yast2-fcoe-client-4.4.3-150400.3.3.1, yast2-firstboot-4.4.9-150400.3.3.1, yast2-installation-4.4.56-150400.3.9.1, yast2-network-4.4.49-150400.3.6.1, yast2-nfs-client-4.4.5-150400.3.4.1, yast2-online-update-configuration-4.4.1-150400.3.10.1, yast2-packager-4.4.32-150400.3.4.1, yast2-schema-default-4.4.14-150400.3.6.2, yast2-schema-micro-4.4.14-150400.3.6.2, yast2-security-4.4.14-150400.3.3.1, yast2-update-4.4.7-150400.3.3.1, yast2-users-4.4.11-150400.3.3.1, yast2-x11-4.4.2-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    autoyast2-4.4.39-150400.3.8.1, yast2-4.4.52-150400.3.8.1, yast2-auth-client-4.4.4-150400.3.7.1, yast2-fcoe-client-4.4.3-150400.3.3.1, yast2-firstboot-4.4.9-150400.3.3.1, yast2-installation-4.4.56-150400.3.9.1, yast2-network-4.4.49-150400.3.6.1, yast2-nfs-client-4.4.5-150400.3.4.1, yast2-online-update-configuration-4.4.1-150400.3.10.1, yast2-packager-4.4.32-150400.3.4.1, yast2-schema-default-4.4.14-150400.3.6.2, yast2-security-4.4.14-150400.3.3.1, yast2-update-4.4.7-150400.3.3.1, yast2-users-4.4.11-150400.3.3.1, yast2-x11-4.4.2-150400.3.3.1
SUSE Linux Enterprise Installer 15-SP4 (src):    autoyast2-4.4.39-150400.3.8.1, yast2-4.4.52-150400.3.8.1, yast2-installation-4.4.56-150400.3.9.1, yast2-packager-4.4.32-150400.3.4.1, yast2-users-4.4.11-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.