Bug 1410054
Summary: | Tracker bug -- 7.3.2 respin of sssd-docker | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | sssd-container | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | jhrozek, jpazdziora, lslebodn, mniranja, ndehadra |
Target Milestone: | rc | Keywords: | Tracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-17 23:54:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2017-01-04 11:03:14 UTC
Version: -bash-4.2$ atomic host status State: idle Deployments: ● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard Version: 7.3.2 (2017-01-13 22:00:41) Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb OSName: rhel-atomic-host Docker images: [root@atomic-00 ~]# atomic images list REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE TYPE sssd-enabled latest 1b1c0ea58e21 2017-01-17 06:08 208.79 MB docker * <none> <none> 3973bae74d48 2017-01-17 05:50 195.4 MB docker lslebodn/sssd-docker extras-rhel-7.3-docker-candidate-20170116051835 d534ba69e6ef 2017-01-16 10:33 357.42 MB docker registry.access.redhat.com/rhel7 latest e8e3aaf82af5 2016-11-30 22:16 192.53 MB docker sssd-docker version: [root@atomic-00 ~]# atomic images info rhel7/sssd Image Name: registry.access.redhat.com/rhel7/sssd:latest BZComponent: sssd-docker Name: rhel7/sssd Release: 13 Version: 7.3 architecture: x86_64 authoritative-source-url: registry.access.redhat.com build-date: 2017-01-16T05:24:20.922961 com.redhat.build-host: ip-10-29-120-149.ec2.internal com.redhat.component: sssd-docker description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources. distribution-scope: public install: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/install.sh io.k8s.description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources. io.k8s.display-name: System Security Services Daemon (SSSD) io.k8s.openshift.tags: security sssd authentication authorisation LDAP kerberos krb5 Active Directory IdM io.openshift.tags: base rhel7 name: rhel7/sssd release: 13 run: docker run -d --restart=always --privileged --net=host --name ${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket ${IMAGE} /bin/run.sh stop: docker kill -s TERM ${NAME} summary: System Security Services Daemon (SSSD) provides centralized user authentication for Atomic Host. uninstall: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/uninstall.sh vcs-ref: 7a04c34a349e5176745bb048dc047395e820b681 vcs-type: git vendor: Red Hat, Inc. version: 7.3 Following test cases were run and passed. Test Result Test Case Defect Duration Executed by Executed Passed [Revision: 1452154] RHEL7-58014 - IDM-SSSD-TC: SSSD-Container: Permit specific ad user login to Atomic host 0.000 s Mallapadi Niranjan (mniranja) 2017-01-17 01:29 Passed [Revision: 1452166] RHEL7-58015 - IDM-SSSD-TC: SSSD-Container: verify AD user can sudo on atomc host with sudo provider as AD 1.760 s Mallapadi Niranjan (mniranja) 2017-01-17 01:31 Passed [Revision: 1452135] RHEL7-58012 - IDM-SSSD-TC: SSSD-Container: Disjoin Atomic host from AD Domain using realm leave Cli 0.759 s Mallapadi Niranjan (mniranja) 2017-01-17 01:25 Passed [Revision: 1452138] RHEL7-58013 - IDM-SSSD-TC: SSSD-Container: Verify uninstall container leaves domain 18.213 s Mallapadi Niranjan (mniranja) 2017-01-17 01:26 Passed [Revision: 1451844] RHEL7-58007 - IDM-SSSD-TC: SSSD-Container: Realm join with membership software samba 16.984 s Mallapadi Niranjan (mniranja) 2017-01-17 00:16 Passed [Revision: 1451848] RHEL7-58008 - IDM-SSSD-TC: SSSD-Container: Verify sssd selinux label 53.844 s Mallapadi Niranjan (mniranja) 2017-01-17 00:18 Passed [Revision: 1451840] RHEL7-58006 - IDM-SSSD-TC: SSSD-Container : Discover Windows Domain on atomic host using realm cli 34.786 s Mallapadi Niranjan (mniranja) 2017-01-17 00:14 Passed [Revision: 1451850] RHEL7-58009 - IDM-SSSD-TC: SSSD-Container: Query AD users using ID command 7.720 s Mallapadi Niranjan (mniranja) 2017-01-17 00:18 Passed [Revision: 1452099] RHEL7-58010 - IDM-SSSD-TC: SSSD-Container: Query AD user using id command from new container 0.000 s Mallapadi Niranjan (mniranja) 2017-01-17 01:19 Passed [Revision: 1452122] RHEL7-58011 - IDM-SSSD-TC: SSSD-Container: Join AD Domain using adcli as membership-software 35.829 s Mallapadi Niranjan (mniranja) 2017-01-17 01:23 IPA-server-Version: ipa-server-4.4.0-14.el7_3.4.x86_64 IPA-client version: ipa-client-4.4.0-14.el7_3.4.x86_64 Atomic host status: State: idle Deployments: ● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard Version: 7.3.2 (2017-01-13 22:00:41) Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb OSName: rhel-atomic-host SETUp: ================== -bash-4.2# systemctl stop sssd -bash-4.2# cat /etc/resolv.conf nameserver 10.16.96.37 INSTALL: ================= -bash-4.2# atomic install sssd docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/install.sh Initializing configuration context from host ... Client hostname: clientdocker.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: auto-hv-01-guest09.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Mon Jan 16 15:10:17 2017 UTC Valid Until: Fri Jan 16 15:10:17 2037 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://auto-hv-01-guest09.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/json' trying https://auto-hv-01-guest09.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json' Systemwide CA database updated. Hostname (clientdocker.testrelm.test) does not have A/AAAA record. Incorrect reverse record(s): 10.76.33.239 is pointing to dhcp200-239.lab.eng.pnq.redhat.com. instead of clientdocker.testrelm.test. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. Copying new configuration to host ... Full path required for exclude: net:[4026531956]. Service sssd.service configured to run SSSD container. -bash-4.2# docker exec -i sssd kinit admin Error response from daemon: No such container: sssd -bash-4.2# systemctl start sssd -bash-4.2# systemctl sssd status Unknown operation 'sssd'. -bash-4.2# systemctl status sssd ● sssd.service - System Security Services Daemon in container Loaded: loaded (/etc/systemd/system/sssd.service; disabled; vendor preset: disabled) Drop-In: /etc/systemd/system/sssd.service.d └─journal.conf Active: active (exited) since Tue 2017-01-17 02:37:05 EST; 17s ago Process: 14123 ExecStart=/usr/bin/atomic run --name=sssd sssd (code=exited, status=0/SUCCESS) Main PID: 14123 (code=exited, status=0/SUCCESS) Jan 17 02:37:03 clientdocker.testrelm.test systemd[1]: Starting System Security Services Daemon in container... Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: docker run -d --restart=always --privileged --net=host...enld Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container uses privileged security switches: Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --net=host Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: Processes in this container can listen to ports (and p...ork. Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --privileged Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container runs without separation and should be c...tem. Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: e69230b92c702b1d794943d65fe8a31a69a78b500911e676b8fb17...0a6d Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: For more information on these switches and their secur...un'. Jan 17 02:37:05 clientdocker.testrelm.test systemd[1]: Started System Security Services Daemon in container. Hint: Some lines were ellipsized, use -l to show in full. -bash-4.2# docker exec -i sssd kinit admin Password for admin: Secret123 KLIST: ============== -bash-4.2# docker exec -i sssd klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 01/17/17 07:37:35 01/18/17 07:37:32 krbtgt/TESTRELM.TEST -bash-4.2# docker exec -i sssd kdestroy -bash-4.2# docker exec -i sssd klist klist: Credentials cache keyring 'persistent:0:0' not found -bash-4.2# docker exec -i sssd kinit admin Password for admin: Secret123 -bash-4.2# docker exec -i sssd klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 01/17/17 07:37:58 01/18/17 07:37:55 krbtgt/TESTRELM.TEST CLIENT VERSION: ==================== -bash-4.2# docker exec -i sssd rpm -q ipa-client ipa-client-4.4.0-14.el7_3.4.x86_64 SSH: ===================== -bash-4.2# ssh -o GSSAPIAuthentication=yes admin@`hostname` whoami Could not chdir to home directory /home/admin: No such file or directory admin UNINSTALL: ===================== -bash-4.2# atomic uninstall sssd docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/uninstall.sh Initializing configuration context from host ... Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Copying new configuration to host ... Removing /etc/ipa/nssdb/pwdfile.txt Removing /etc/ipa/nssdb/secmod.db Removing /etc/ipa/nssdb/cert8.db Removing /etc/ipa/nssdb/key3.db Removing /etc/ipa/ca.crt Removing /etc/ipa/default.conf Removing /etc/sssd/systemctl-lite-enabled/sssd.service Removing /etc/sssd/systemctl-lite-enabled/rhel-domainname.service Removing /etc/sssd/sssd.conf Removing /var/lib/ipa-client/sysrestore/69364e48e709ca3b-nsswitch.conf Removing /var/lib/ipa-client/sysrestore/sysrestore.index Removing /var/lib/ipa-client/sysrestore/e251fbeffe9583a3-krb5.conf Removing /var/lib/ipa-client/sysrestore/sysrestore.state Removing /var/lib/ipa-client/sysrestore/6f17853412338ede-ldap.conf Removing /var/lib/ipa-client/sysrestore/14d10dd149b4ace6-ssh_config Removing /var/lib/ipa-client/sysrestore/f1bb0822e96d0e7f-sshd_config Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.123 Removing /var/lib/sss/pipes/private/sbus-monitor Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.13 Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test Removing /var/lib/sss/pipes/private/pam Removing /var/lib/sss/mc/passwd Removing /var/lib/sss/mc/group Removing /var/lib/sss/db/cache_testrelm.test.ldb Removing /var/lib/sss/db/ccache_TESTRELM.TEST docker rmi sssd Untagged: sssd:latest AD users can be found on IPA-client configured using sssd-container image: (TRUST setup-2 way) ========================================================== -bash-4.2# docker exec -i sssd id idviewuser1 uid=577602341(idviewuser1) gid=577602341(idviewuser1) groups=577602341(idviewuser1),577600513(domain users),577602566(adgroup1) Verified the bug on the basis of observations in Comment#2 , Comment#4 and Comment#5, thus changing the status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0145 |