Bug 1309700

Summary: Process /usr/sbin/winbindd was killed by signal 6
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: abokovoy, ksiddiqu, mbasti, ohudlick, pholica, pspacek, pvoborni, rcritten, snagar, sumenon, thozza, vanhoof
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-6.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:51:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1359079    
Attachments:
Description Flags
sos report for the failure
none
samba log-1
none
messages none

Description Sudhir Menon 2016-02-18 14:04:12 UTC 
Created attachment 1128229 [details]
sos report for the failure

Description of problem: Process /usr/sbin/winbindd was killed by signal 6


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.0.0-50.el6.x86_64
ipa-server-3.0.0-50.el6.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install IPA-server on RHEL6.8
2. Run ipa-adtrust-install command
3. Add dnsforwardzone on the IPA server to AD
4. Now try to add trust to AD

Actual results:
Crash report is generated.

Expected results:
Crash shouldn't occur.

Additional info:
Although trust was a tech preview found this issue while doing steps as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1263262
Comment 2 Alexander Bokovoy 2016-02-18 15:42:28 UTC 
Sorry, but sosreport doesn't have anything useful in it -- no logs, even /var/log/messages is missing, not even talking about /var/log/httpd and /var/log/samba. Is it possible to generate something more useful?
Comment 3 Sudhir Menon 2016-02-19 11:04:15 UTC 
Created attachment 1128512 [details]
samba log-1
Comment 4 Sudhir Menon 2016-02-19 11:05:02 UTC 
Created attachment 1128513 [details]
messages
Comment 5 Sudhir Menon 2016-02-19 11:09:49 UTC 
Alexander/Petr,
before logging this bug, sbose was having a look at the test system where the crash was seen and he said that. 

"there was an issue during the ipa-client-install run, the cifs/... principal was not created. This was maybe due to DNS issue because as I tried to start IPA on the host named was not able to start. It looks like the chroot environment is not correct, I fixed this by commenting out the chroot path in /etc/sysconfig/named. Now named start. Please run ipa-adtrust-install again to get the cifs/... principal created"

But when I restested the same thing.

1. Found that the crash occured only when the below line was commented in 
#ROOTDIR=/var/named/chroot' in /etc/named.conf file. 
This entry is however added by bind-chroot when installed.
Manually commenting the option is incorrect and invalid test scenario and which was not done during the test.
Comment 6 Alexander Bokovoy 2016-02-19 11:23:41 UTC 
FreeIPA doesn't use bind-chroot at all and was never tested with it. What drags bind-chroot in?
Comment 7 Sudhir Menon 2016-02-22 05:57:08 UTC 
The VM image on which the testing was done had bind-chroot package installed already. Although what i see is that the bind-chroot package is not required by any of ipa packages. May be I should create a pristine image and try to reprduce the issue.
Comment 8 Sudhir Menon 2016-02-22 09:18:35 UTC 
Tested this on a pristine RHEL6.8 VM without the bind-chroot package installed and found that the crash is not seen.
Comment 9 Petr Vobornik 2016-02-23 17:23:32 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5696
Comment 10 Petr Vobornik 2016-02-23 17:25:46 UTC 
We should add conflicts with bind-chroot to spec. I would fix it only on RHEL 7.
Comment 11 Petr Vobornik 2016-03-24 19:43:12 UTC 
IPA in 6.8 won't receive any updates unless they are critical or sufficiently justified. Changing to RHEL 7.
Comment 12 Petr Vobornik 2016-03-24 19:44:20 UTC 
Fixed upstream:

master:
    3ab63fa6ba60947b1452c2108c4cf7637f4aacdb spec: add conflict with bind-chroot to freeipa-server-dns 

ipa-4-3:
    2b1b9ad6722e7008a97f09dc4a34019ad250cd4d spec: add conflict with bind-chroot to freeipa-server-dns
Comment 13 Mike McCune 2016-03-28 22:43:24 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 15 Sudhir Menon 2016-07-18 10:37:39 UTC 
Fix is seen.
Verified using ipa-server-4.4.0-2.1.el7.x86_64

Conflicts are now added while installing ipa-server ipa-server-dns with bind-chroot already installed on the box.

[root@server ~]# rpm -qa | grep bind-chroot
bind-chroot-9.9.4-36.el7.x86_64

[root@server ~]# yum install -y ipa-server ipa-server-dns
Loaded plugins: auto-update-debuginfo, langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-2.1.el7 will be installed
---> Package ipa-server-dns.noarch 0:4.4.0-2.1.el7 will be installed
--> Processing Conflict: ipa-server-dns-4.4.0-2.1.el7.noarch conflicts bind-chroot
--> Finished Dependency Resolution
Error: ipa-server-dns conflicts with 32:bind-chroot-9.9.4-36.el7.x86_64
 You could try using --skip-broken to work around the problem
** Found 5 pre-existing rpmdb problem(s), 'yum check' output follows:
ipa-admintools-4.4.0-2.1.el7.noarch has installed conflicts freeipa-admintools: ipa-admintools-4.4.0-2.1.el7.noarch
ipa-client-4.4.0-2.1.el7.x86_64 has installed conflicts freeipa-client: ipa-client-4.4.0-2.1.el7.x86_64
ipa-client-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-client-common: ipa-client-common-4.4.0-2.1.el7.noarch
ipa-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-common: ipa-common-4.4.0-2.1.el7.noarch
ipa-server-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-server-common: ipa-server-common-4.4.0-2.1.el7.noarch

Note: FreeIPA cannot work with BIND in chroot.
Comment 16 Pavel Holica 2016-07-25 13:25:37 UTC 
Requesting release note due to bug 1359079

The conflicts change needs to be documented because it breaks upgrade path.
Comment 17 Ondrej Hudlicky 2016-08-02 14:11:00 UTC 
Hi, I am concerned that this is not best solution for fixing the crash. By introducing a new conflict you break upgrade path for customer who have both packages installed (in RHEL7.2) - it could be high number of deployments and it could have negative impact on customer experience (even if documented). 

Also can you confirm that there are no deployment which would required both components? 

Asking PM (Siddharth) CEE (Chris) for review and additional feedback
Comment 18 Alexander Bokovoy 2016-08-02 14:21:15 UTC 
Ondrej,

Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody was/is/will be able to have a working configuration where both ipa-server-dns and bind-chroot are installed.
Comment 19 Ondrej Hudlicky 2016-08-02 17:23:01 UTC 
> Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody

This incompatibility should be documented but no big concerns there. 

> was/is/will be able to have a working configuration where both
> ipa-server-dns and bind-chroot are installed.

There is difference between *installed* and *configured*.
Installing bind-chroot doesn't enable the chroot jail =>
 installing bind-chroot should not affect name server function

Having ipa-server crash due commented line in bind config file could be symptom of ipa-server bug which could be probably triggered in multiple ways?

Again my motivation is to avoid any possible troubles during RHEL7.2->RHEL7.3 update because customers are in general not happy with stability of upgrades.
Comment 20 Tomáš Hozza 2016-08-04 13:29:11 UTC 
Installing bind-chroot on RHEL-7 does not change any configuration of bind and does not have any effect on how bind is run. The behavior in RHEL-7 is completely different compared to RHEL-6, where we shipped just a single init script and installing bind-chroot actually changed the way how bind is started.

In RHEL-7 we ship multiple .service files and installing bind-chroot installs named-chroot.service. Unless you explicitly start this service, you'll be still running regular bind NOT in chroot.

In RHEL-7 we actually don't even use the 'ROOTDIR' variable in /etc/sysconfig/named and it is not part of the default configuration.

This means the changes that looked like "good" idea for RHEL-6 don't make any sense for RHEL-7.

IMO introducing the conflict with bind-chroot package seems like unnecessary and unsystematic.
Comment 21 Ondrej Hudlicky 2016-08-05 07:55:15 UTC 
Based on previous comment and after consultation with IDM QE moving to ASSIGNED
Comment 22 Martin Bašti 2016-08-09 14:23:57 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/96db47cfa516911741dd7942509b0a94551dbace
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/56695d969325cb2cb754d0ea549c5b6face89c6f
Comment 24 Sudhir Menon 2016-08-10 11:49:11 UTC 
Fix is seen.

ipa-server and ipa-server-trust-ad rpm gets installed even with bind-chroot installed on the box.

[root@master ~]# rpm -qa | grep bind-chroot
bind-chroot-9.9.4-36.el7.x86_64

[root@master ~]# yum install -y ipa-server ipa-server-trust-ad 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-6.el7 will be installed
---> Package ipa-server-trust-ad.x86_64 0:4.4.0-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
================================================================================
 Package                                 Arch                       Version                            Repository                  Size
================================================================================
Installing:
 ipa-server             x86_64  4.4.0-6.el7  rhel73    423 k
 ipa-server-trust-ad    x86_64  4.4.0-6.el7  rhel73    191 k

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 614 k
Installed size: 1.2 M
Downloading packages:
ipa-server-4.4.0-6.el7.x86_64.rpm  423 kB  00:00:01     
ipa-server-trust-ad-4.4.0-6.el7.x86_64.rpm  | 191 kB  00:00:01     
--------------------------------------------------------------------------------
Total 145 kB/s | 614 kB  00:00:04     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ipa-server-4.4.0-6.el7.x86_64          1/2 
  Installing : ipa-server-trust-ad-4.4.0-6.el7.x86_64 2/2 
  Verifying  : ipa-server-trust-ad-4.4.0-6.el7.x86_64 1/2 
  Verifying  : ipa-server-4.4.0-6.el7.x86_64          2/2 

Installed:
ipa-server.x86_64 0:4.4.0-6.el7                                
ipa-server-trust-ad.x86_64 0:4.4.0-6.el7                               

Complete!
Comment 27 errata-xmlrpc 2016-11-04 05:51:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Comment 28 Red Hat Bugzilla 2023-12-20 04:25:02 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days