2417703 – Cannot login with IPA account when freeipa-client is bundled in bootc image

Bug 2417703 - Cannot login with IPA account when freeipa-client is bundled in bootc image [NEEDINFO]

Summary: Cannot login with IPA account when freeipa-client is bundled in bootc image

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ostree
Sub Component:
Version:	43
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Colin Walters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-28 14:49 UTC by William Oprandi
Modified:	2025-12-22 13:48 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:
Flags:	atikhono: needinfo? (walters) fedora-admin-xmlrpc: mirror+

Attachments	(Terms of Use)
SSSD logs (21.82 KB, application/gzip) 2025-12-01 14:19 UTC, William Oprandi	no flags	Details
SSSD debug level 9 (71.15 KB, application/gzip) 2025-12-02 09:56 UTC, William Oprandi	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-2849	0	None	None	None	2025-12-22 13:48:58 UTC

Description William Oprandi 2025-11-28 14:49:56 UTC

Building custom silverblue image :

```
ARG FEDORA_VERSION=43
FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_VERSION

RUN dnf install -y freeipa-client
COPY tmpfile.conf /usr/lib/tmpfiles.d/ipa.conf # Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2332433 

RUN bootc container lint
```

tmpfile.conf (Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2332433)
```
d /var/lib/certmonger 0755 root root
d /var/lib/certmonger/cas
d /var/lib/certmonger/local
d /var/lib/certmonger/requests
d /var/lib/ipa-client 0755 root root
d /var/lib/ipa-client/pki
d /var/lib/ipa-client/sysrestore
```

I'm able to enroll my host after the first boot with `realm join`. But login with GDM does not work.

```
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: seat unloaded, so trying to set loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user manager now loaded, proceeding with fetch user request for user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finding user 'william.oprandi' state 2
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Looking for user 'william.oprandi' in accounts service
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: already loaded, so not setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Found object path of user 'william.oprandi': /org/freedesktop/Accounts/User1462
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finding user 'william.oprandi' state 3
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user 'william.oprandi' fetched
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user william.oprandi is now loaded
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user william.oprandi was not yet known, adding it
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: tracking user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: not yet loaded, so not emitting user-added signal
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: no pending users, trying to set loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: already loaded, so not setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionSettings: saved session is  (type )
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionSettings: saved language is
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: queuing setup for user: william.oprandi (null)
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finished handling request for user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: unrefing manager owned by fetch user request
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to SETUP_COMPLETE
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: initializing PAM; service=gdm-password username=william.oprandi seat=seat0
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state SETUP_COMPLETE
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to AUTHENTICATED
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: authenticating user william.oprandi
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: 1 new messages received from PAM
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: username is 'william.oprandi'
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: old-username='william.oprandi' new-username='william.oprandi'
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: received pam message of type 1 with payload 'Mot de passe�: '
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: trying to get updated username
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: PAM conversation returning 0: Succ�s
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/us>
Nov 28 14:16:44 qemu-standardpcq35ich92009-notspecified.fr.otera.lan sssd_kcm[3951]: Starting up
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=william.oprandi
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1100 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication gr>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: gkr-pam: unable to locate daemon control file
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: gkr-pam: stashed password to try later in open session
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state AUTHENTICATED
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: trying to get updated username
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: username is 'william.oprandi'
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: old-username='william.oprandi' new-username='william.oprandi'
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to AUTHORIZED
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" >
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit: BPF prog-id=103 op=UNLOAD
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1101 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting granto>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:account): Access denied for user william.oprandi: 4 (Erreur syst�me)
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1112 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=1462 exe="/usr/libex>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: user is not authorized to log in: Erreur syst�me
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: uninitializing PAM
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state NONE
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: stopping conversation gdm-password
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSessionWorkerJob: Stopping job pid:3816
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmCommon: sending signal 15 to process 3816
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSessionWorkerJob: child (pid:3816) done (status:0)
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: Worker job exited: 0
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: Emitting conversation-stopped signal
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmManager: session conversation 'gdm-password' stopped

```


Reproducible: Always

Steps to Reproduce:
1. Build custom silverblue bootc image
2. Install on VM
3. realm join
4. Try to login with GDM
Actual Results:
Login does not work

Expected Results:
Login work

Additional Information:
If I install freeipa-client as layered package with rpm-ostree, it works.

Comment 1 Robert 2025-11-28 15:02:04 UTC

Please compare with my setup using KDE. This works with freeipa and Kinoite. Maybe also a selinux issue?

https://gitlab.com/eu-os/eu-os.gitlab.io/-/snippets/4906744#L106

Comment 2 William Oprandi 2025-11-28 17:19:15 UTC

selinux_provider = none in /etc/sssd/sssd.conf seems to "fix" the issue. This is not needed when freeipa-client is installed with rpm-ostree !

Thanks a lot as a workaround exists now !

Comment 3 Alexander Bokovoy 2025-11-29 08:28:24 UTC

William, can you please provide the debug log of SSSD?

Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:account): Access denied for user william.oprandi: 4 (Erreur syst�me)

We need to understand whether SSSD selinux provider is affected by a variant of https://github.com/ostreedev/ostree-rs-ext/issues/510.

Comment 4 William Oprandi 2025-12-01 14:19:00 UTC

Created attachment 2116979 [details]
SSSD logs

The SSSD logs folder from restart to login failure

Comment 5 Alexander Bokovoy 2025-12-01 14:33:39 UTC

Ok, looks like SELinux SSSD child is failing indeed:

   *  (2025-12-01 14:13:11): [be[fr.otera.lan]] [child_handler_setup] (0x2000): [RID#14] Setting up signal handler up for pid [4036]
   *  (2025-12-01 14:13:11): [be[fr.otera.lan]] [child_handler_setup] (0x2000): [RID#14] Signal handler set up for pid [4036]
..
(2025-12-01 14:13:11): [be[fr.otera.lan]] [child_sig_handler] (0x0020): [RID#14] child [4036] failed with status [1].

Unfortunately, the selinux_child.log is empty, so we don't know why this happened. My suspicion is that it is indeed an issue with SELinux library not being able to load its own database.

Comment 6 William Oprandi 2025-12-01 14:37:42 UTC

Maybe you need I change the SSSD debug level ?

Comment 7 Alexander Bokovoy 2025-12-02 07:52:24 UTC

Yes, please use 'debug_level = 9'.

Comment 8 William Oprandi 2025-12-02 09:56:02 UTC

Created attachment 2117046 [details]
SSSD debug level 9

SSSD logs with sss_debuglevel 9 ran

Comment 9 Alexander Bokovoy 2025-12-02 10:26:01 UTC

Thanks. I'm moving this bug to SSSD so that they can analyze what's happening.

Comment 10 Alexey Tikhonov 2025-12-02 11:54:30 UTC

Hi,

could you please show output of
```
ls -lahZ /usr/libexec/sssd/
getcap /usr/libexec/sssd/*
```
?

Comment 11 William Oprandi 2025-12-02 14:27:51 UTC

$ ls -lahZ /usr/libexec/sssd/
total 2,5M
drwxr-xr-x.  2 root root system_u:object_r:bin_t:s0                        442  1 janv.  1970 .
drwxr-xr-x. 53 root root system_u:object_r:bin_t:s0                       8,0K  1 janv.  1970 ..
-rwxr-x---.  1 root sssd system_u:object_r:bin_t:s0                       137K  1 janv.  1970 krb5_child
-rwxr-x---.  1 root sssd system_u:object_r:bin_t:s0                        48K  1 janv.  1970 ldap_child
-rwxr-xr-x.  1 root root system_u:object_r:ipa_otpd_exec_t:s0              60K  1 janv.  1970 oidc_child
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        72K  1 janv.  1970 p11_child
-rwxr-xr-x.  1 root root system_u:object_r:ipa_otpd_exec_t:s0              56K  1 janv.  1970 passkey_child
-rwxr-x---.  1 root root system_u:object_r:sssd_selinux_manager_exec_t:s0  36K  1 janv.  1970 selinux_child
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                         73  1 janv.  1970 sss_analyze
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 179K  1 janv.  1970 sssd_autofs
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                       248K  1 janv.  1970 sssd_be
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        16K  1 janv.  1970 sssd_check_socket_activated_responders
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 276K  1 janv.  1970 sssd_ifp
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 211K  1 janv.  1970 sssd_kcm
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 253K  1 janv.  1970 sssd_nss
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 183K  1 janv.  1970 sssd_pac
-rwxr-x---.  1 root sssd system_u:object_r:sssd_exec_t:s0                 280K  1 janv.  1970 sssd_pam
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 187K  1 janv.  1970 sssd_ssh
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 187K  1 janv.  1970 sssd_sudo
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        12K  1 janv.  1970 sss_signal




$ getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

Comment 12 Alexey Tikhonov 2025-12-02 14:49:18 UTC

The reason is:
```
-rwxr-x---.  1 root root system_u:object_r:sssd_selinux_manager_exec_t:s0  36K  1 janv.  1970 selinux_child
```
  --  'sssd_be' run under 'sssd' user can't execute `selinux_child`.

It should be ':sssd' owned, as other privileged helpers (`krb5_child`, `ldap_child`, `sssd_pam`)

spec-file installs it properly - as 'root:sssd':
https://src.fedoraproject.org/rpms/sssd/blob/rawhide/f/sssd.spec#_801

I guess the problem is that you add it later:
```
RUN dnf install -y freeipa-client
```
but not sure yet what exactly is broken so that it ends up with a wrong ownership.

Comment 13 Alexander Bokovoy 2025-12-02 15:06:12 UTC

So yes, this is the same issue as it was in https://github.com/ostreedev/ostree-rs-ext/issues/654 which was supposed to be fixed with https://github.com/ostreedev/ostree-rs-ext/pull/679.

Comment 14 Alexey Tikhonov 2025-12-02 16:26:36 UTC

(In reply to Alexander Bokovoy from comment #13)
> So yes, this is the same issue as it was in
> https://github.com/ostreedev/ostree-rs-ext/issues/654 which was supposed to
> be fixed with https://github.com/ostreedev/ostree-rs-ext/pull/679.

Actually this looks different.
ostree-rs-ext/issues/654 was about lost file capabilities.
In this case it's wrong ownership.

Comment 15 Alexey Tikhonov 2025-12-03 11:28:45 UTC

Colin, could you please take a look at this?

Comment 16 Alexey Tikhonov 2025-12-22 13:47:27 UTC

(In reply to Alexey Tikhonov from comment #15)
> Colin, could you please take a look at this?

Changing component for better visibility.
Please feel free to re-assign bug with explanation if this is SSSD bug.

Note You need to log in before you can comment on or make changes to this bug.

abokovoy
amurdaca
atikhono
coreos-sig
dustymabe
ftrivino
ipa-maint
jmarrero
jonathan
lslebodn
mhjacks
miabbott
pbrezina
rcritten
robert-fedora
sbose
ssorce
sssd-maintainers
travier
twoerner
walters