Bug 1410054
| Summary: | Tracker bug -- 7.3.2 respin of sssd-docker | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | sssd-container | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | jhrozek, jpazdziora, lslebodn, mniranja, ndehadra |
| Target Milestone: | rc | Keywords: | Tracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-17 23:54:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lukas Slebodnik
2017-01-04 11:03:14 UTC
Version:
-bash-4.2$ atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
Version: 7.3.2 (2017-01-13 22:00:41)
Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
OSName: rhel-atomic-host
Docker images:
[root@atomic-00 ~]# atomic images list
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE TYPE
sssd-enabled latest 1b1c0ea58e21 2017-01-17 06:08 208.79 MB docker
* <none> <none> 3973bae74d48 2017-01-17 05:50 195.4 MB docker
lslebodn/sssd-docker extras-rhel-7.3-docker-candidate-20170116051835 d534ba69e6ef 2017-01-16 10:33 357.42 MB docker
registry.access.redhat.com/rhel7 latest e8e3aaf82af5 2016-11-30 22:16 192.53 MB docker
sssd-docker version:
[root@atomic-00 ~]# atomic images info rhel7/sssd
Image Name: registry.access.redhat.com/rhel7/sssd:latest
BZComponent: sssd-docker
Name: rhel7/sssd
Release: 13
Version: 7.3
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-01-16T05:24:20.922961
com.redhat.build-host: ip-10-29-120-149.ec2.internal
com.redhat.component: sssd-docker
description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
distribution-scope: public
install: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/install.sh
io.k8s.description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
io.k8s.display-name: System Security Services Daemon (SSSD)
io.k8s.openshift.tags: security sssd authentication authorisation LDAP kerberos krb5 Active Directory IdM
io.openshift.tags: base rhel7
name: rhel7/sssd
release: 13
run: docker run -d --restart=always --privileged --net=host --name ${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket ${IMAGE} /bin/run.sh
stop: docker kill -s TERM ${NAME}
summary: System Security Services Daemon (SSSD) provides centralized user authentication for Atomic Host.
uninstall: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/uninstall.sh
vcs-ref: 7a04c34a349e5176745bb048dc047395e820b681
vcs-type: git
vendor: Red Hat, Inc.
version: 7.3
Following test cases were run and passed.
Test Result Test Case Defect Duration Executed by Executed
Passed [Revision: 1452154] RHEL7-58014 - IDM-SSSD-TC: SSSD-Container: Permit specific ad user login to Atomic host 0.000 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:29
Passed [Revision: 1452166] RHEL7-58015 - IDM-SSSD-TC: SSSD-Container: verify AD user can sudo on atomc host with sudo provider as AD 1.760 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:31
Passed [Revision: 1452135] RHEL7-58012 - IDM-SSSD-TC: SSSD-Container: Disjoin Atomic host from AD Domain using realm leave Cli 0.759 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:25
Passed [Revision: 1452138] RHEL7-58013 - IDM-SSSD-TC: SSSD-Container: Verify uninstall container leaves domain 18.213 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:26
Passed [Revision: 1451844] RHEL7-58007 - IDM-SSSD-TC: SSSD-Container: Realm join with membership software samba 16.984 s
Mallapadi Niranjan (mniranja) 2017-01-17
00:16
Passed [Revision: 1451848] RHEL7-58008 - IDM-SSSD-TC: SSSD-Container: Verify sssd selinux label 53.844 s
Mallapadi Niranjan (mniranja) 2017-01-17
00:18
Passed [Revision: 1451840] RHEL7-58006 - IDM-SSSD-TC: SSSD-Container : Discover Windows Domain on atomic host using realm cli 34.786 s
Mallapadi Niranjan (mniranja) 2017-01-17
00:14
Passed [Revision: 1451850] RHEL7-58009 - IDM-SSSD-TC: SSSD-Container: Query AD users using ID command 7.720 s
Mallapadi Niranjan (mniranja) 2017-01-17
00:18
Passed [Revision: 1452099] RHEL7-58010 - IDM-SSSD-TC: SSSD-Container: Query AD user using id command from new container 0.000 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:19
Passed [Revision: 1452122] RHEL7-58011 - IDM-SSSD-TC: SSSD-Container: Join AD Domain using adcli as membership-software 35.829 s
Mallapadi Niranjan (mniranja) 2017-01-17
01:23
IPA-server-Version: ipa-server-4.4.0-14.el7_3.4.x86_64
IPA-client version: ipa-client-4.4.0-14.el7_3.4.x86_64
Atomic host status:
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
Version: 7.3.2 (2017-01-13 22:00:41)
Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
OSName: rhel-atomic-host
SETUp:
==================
-bash-4.2# systemctl stop sssd
-bash-4.2# cat /etc/resolv.conf
nameserver 10.16.96.37
INSTALL:
=================
-bash-4.2# atomic install sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/install.sh
Initializing configuration context from host ...
Client hostname: clientdocker.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: auto-hv-01-guest09.testrelm.test
BaseDN: dc=testrelm,dc=test
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=TESTRELM.TEST
Issuer: CN=Certificate Authority,O=TESTRELM.TEST
Valid From: Mon Jan 16 15:10:17 2017 UTC
Valid Until: Fri Jan 16 15:10:17 2037 UTC
Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://auto-hv-01-guest09.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/json'
trying https://auto-hv-01-guest09.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Hostname (clientdocker.testrelm.test) does not have A/AAAA record.
Incorrect reverse record(s):
10.76.33.239 is pointing to dhcp200-239.lab.eng.pnq.redhat.com. instead of clientdocker.testrelm.test.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.
-bash-4.2# docker exec -i sssd kinit admin
Error response from daemon: No such container: sssd
-bash-4.2# systemctl start sssd
-bash-4.2# systemctl sssd status
Unknown operation 'sssd'.
-bash-4.2# systemctl status sssd
● sssd.service - System Security Services Daemon in container
Loaded: loaded (/etc/systemd/system/sssd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/sssd.service.d
└─journal.conf
Active: active (exited) since Tue 2017-01-17 02:37:05 EST; 17s ago
Process: 14123 ExecStart=/usr/bin/atomic run --name=sssd sssd (code=exited, status=0/SUCCESS)
Main PID: 14123 (code=exited, status=0/SUCCESS)
Jan 17 02:37:03 clientdocker.testrelm.test systemd[1]: Starting System Security Services Daemon in container...
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: docker run -d --restart=always --privileged --net=host...enld
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container uses privileged security switches:
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --net=host
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: Processes in this container can listen to ports (and p...ork.
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --privileged
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container runs without separation and should be c...tem.
Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: e69230b92c702b1d794943d65fe8a31a69a78b500911e676b8fb17...0a6d
Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: For more information on these switches and their secur...un'.
Jan 17 02:37:05 clientdocker.testrelm.test systemd[1]: Started System Security Services Daemon in container.
Hint: Some lines were ellipsized, use -l to show in full.
-bash-4.2# docker exec -i sssd kinit admin
Password for admin: Secret123
KLIST:
==============
-bash-4.2# docker exec -i sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin
Valid starting Expires Service principal
01/17/17 07:37:35 01/18/17 07:37:32 krbtgt/TESTRELM.TEST
-bash-4.2# docker exec -i sssd kdestroy
-bash-4.2# docker exec -i sssd klist
klist: Credentials cache keyring 'persistent:0:0' not found
-bash-4.2# docker exec -i sssd kinit admin
Password for admin: Secret123
-bash-4.2# docker exec -i sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin
Valid starting Expires Service principal
01/17/17 07:37:58 01/18/17 07:37:55 krbtgt/TESTRELM.TEST
CLIENT VERSION:
====================
-bash-4.2# docker exec -i sssd rpm -q ipa-client
ipa-client-4.4.0-14.el7_3.4.x86_64
SSH:
=====================
-bash-4.2# ssh -o GSSAPIAuthentication=yes admin@`hostname` whoami
Could not chdir to home directory /home/admin: No such file or directory
admin
UNINSTALL:
=====================
-bash-4.2# atomic uninstall sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/uninstall.sh
Initializing configuration context from host ...
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Copying new configuration to host ...
Removing /etc/ipa/nssdb/pwdfile.txt
Removing /etc/ipa/nssdb/secmod.db
Removing /etc/ipa/nssdb/cert8.db
Removing /etc/ipa/nssdb/key3.db
Removing /etc/ipa/ca.crt
Removing /etc/ipa/default.conf
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
Removing /etc/sssd/systemctl-lite-enabled/rhel-domainname.service
Removing /etc/sssd/sssd.conf
Removing /var/lib/ipa-client/sysrestore/69364e48e709ca3b-nsswitch.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.index
Removing /var/lib/ipa-client/sysrestore/e251fbeffe9583a3-krb5.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.state
Removing /var/lib/ipa-client/sysrestore/6f17853412338ede-ldap.conf
Removing /var/lib/ipa-client/sysrestore/14d10dd149b4ace6-ssh_config
Removing /var/lib/ipa-client/sysrestore/f1bb0822e96d0e7f-sshd_config
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.123
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.13
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test
Removing /var/lib/sss/pipes/private/pam
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/db/cache_testrelm.test.ldb
Removing /var/lib/sss/db/ccache_TESTRELM.TEST
docker rmi sssd
Untagged: sssd:latest
AD users can be found on IPA-client configured using sssd-container image: (TRUST setup-2 way) ========================================================== -bash-4.2# docker exec -i sssd id idviewuser1 uid=577602341(idviewuser1) gid=577602341(idviewuser1) groups=577602341(idviewuser1),577600513(domain users),577602566(adgroup1) Verified the bug on the basis of observations in Comment#2 , Comment#4 and Comment#5, thus changing the status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0145 |