As an enrollment manager I would like to be able to catch errors when calling ['pam-auth-update', '--package', '--enable', 'mkhomedir'], so that I can mitigate.
From time to time the call to pam-auth-update fails, the error being:
2021-11-17T14:59:18Z DEBUG args=['pam-auth-update', '--package', '--enable', 'mkhomedir'] 2021-11-17T14:59:18Z DEBUG Process finished, return code=1 2021-11-17T14:59:18Z DEBUG stdout= 2021-11-17T14:59:18Z DEBUG stderr=debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
I can't be sure, but APT might be running. I would like if this error was handled in some way, and not just ignored
Perform and ipa-client-install with the --mkhomedir option.
The error doesn't always happen, but is ignored when it is.
The ipa-client-install continues as if no error occured.
If any of the sub commands during IPA enrollment fails I would expect the enrollment to fail, so that one can take mitigate actions.
Version 4.7, but even on current master, failure when running external commands seems to be ignored.
@tjaalton FYI not specifically for you but Debian-related.
Currently the return value for the call to tasks.modify_nsswitch_pam_stack() is ignored for all platforms. I suppose we could check this and raise a ScriptError on failure.
At this point the client is enrolled, I'm not 100% sure if the rollback would leave a clean system or not. Would require testing. Lack of being clean would mean the next enrollment would require a host-del, for example, before it would be successful. Also would need a new OTP if that is used.
You are welcome to improve Debian platform support. The method already allows for extension in ipaplatform/debian/tasks.py:DebianTaskNamespace.modify_nsswitch_pam_stack. I think you need to make sure that debconf is not locked before the operation is called.
ipaplatform/debian/tasks.py:DebianTaskNamespace.modify_nsswitch_pam_stack
@tjaalton FYI not specifically for you but Debian-related. Currently the return value for the call to tasks.modify_nsswitch_pam_stack() is ignored for all platforms. I suppose we could check this and raise a ScriptError on failure.
One could remove the Exception catch that is currently added all over the file ipaplatform/debian/tasks.py maybe?
ipaplatform/debian/tasks.py
I've been fixing it so far by running an ipa-client-install --uninstall and afterwards re-installing. And that seems to work
ipa-client-install --uninstall
@abbra The question is if this raise condition should be handled by ipa-client-install at all? The program seems to be fairly good at rolling back an enrollment if an error occurs, just not for the 'external' tasks in ipaplatform/debian/tasks.py.
I'm not sure it's the job of ipa-client-install to check if the lock on a file is acquired - maybe rather a job for pam-auth-update?
pam-auth-update
Login to comment on this ticket.