User realname, load configuration and other joys of Gaia

cosmos — Fri, 25 Jun 2021 02:35:28 GMT

I've been migrating a few gateways with local users configured, and found the following true for clish in R80.40 (unrelated to sk110222):

the realname field for a local user, when entered interactively or loaded via a configuration file, must be wrapped in quotes
the output of the realname field for a local user, when exported from clish, is not wrapped in quotes.

This is problematic, as we can see below:

[Expert@fw-01:0]# clish
fw-01> set user test realname "test user"
fw-01> save config
fw-01> save configuration fw-01.conf
fw-01> quit
[Expert@fw-01:0]# clish -c "show configuration" | grep "test realname"
set user test realname test user
[Expert@fw-01:0]# grep "test realname" fw-01.conf
set user test realname test user
[Expert@fw-01:0]# clish
fw-01> set user test realname test user
CLINFR0329 Invalid command:'set user test realname test user'.
fw-01> quit
[Expert@fw-01:0]#

This also means the config file will not load from clish either, without set clienv on-failure continue

I wrote some crude regex to fix this and restore the quotes around usernames, so the configs can be easily ported between Gaia machines with the full username:

[Expert@fw-01:0]# cat fw-01.conf | sed 's/realname \([a-zA-Z0-9_ ]*\)/realname "\1"/g' > fw-01_fixed.conf
[Expert@fw-01:0]# grep "test realname" fw-01_fixed.conf
set user test realname "test user "

Forget about the space, we can live with that 🙂

I also found the following regarding clish config files:

the file encoding must be ANSI, at least on kernel 2.6 / R80.30 as UTF-8 did not work
EOL must be Unix (LF), Windows (CR/LF) is not supported
1. dos2unix is helpful here

I'm considering the realname issue a bug and will log a TAC case. Note this does not affect the config db (flat file or SQLite):

[Expert@fw-01:0]# grep "test:realname" /config/db/initial
passwd:test:realname test\ user
[Expert@fw-01:0]# dbget passwd:test:realname
test user
[Expert@fw-01:0]#

I hope this is helpful for others.

Re: User realname, load configuration and other joys of Gaia

PhoneBoy — Sun, 27 Jun 2021 22:04:28 GMT

Agree the best thing to do here is log a TAC case so we can make sure to fix this issue.
I know in the past importing the output of show configuration has had...mixed results.

Re: User realname, load configuration and other joys of Gaia

the_rock — Mon, 28 Jun 2021 01:17:28 GMT

Interesting...personally, I copied show configuration few times in the past and it always worked, but its like backup/restore, has to be done on same type of appliance, otherwise it would not work. I recall Fortinet had a process at some point where you could make some modifications to backup file from one model and then re-import it into a different one and it would work, but there were lots of customers facing issues and it was not officially supported by them anyway, so they removed it from support site.

But again, goes without saying really, its totally logical to follow this on same firewall model.

topic User realname, load configuration and other joys of Gaia in General Topics

User realname, load configuration and other joys of Gaia

Re: User realname, load configuration and other joys of Gaia

Re: User realname, load configuration and other joys of Gaia