Bug 1657295
Summary: | remote user can not ssh to a winbind joined system | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Patrik Kis <pkis> |
Component: | authselect | Assignee: | Pavel Březina <pbrezina> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Steeve Goveas <sgoveas> |
Severity: | high | Docs Contact: | Filip Hanzelka <fhanzelk> |
Priority: | high | ||
Version: | 8.1 | CC: | fhanzelk, fweimer, igkioka, jhrozek, lmanasko, ndehadra, pbrezina, sbose |
Target Milestone: | rc | Keywords: | Regression, TestBlocker |
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
.Changing `/etc/nsswitch.conf` requires a manual system reboot
Any change to the `/etc/nsswitch.conf` file, for example running the `authselect select profile_id` command, requires a system reboot so that all relevant processes use the updated version of the `/etc/nsswitch.conf` file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the `System Security Services Daemon` (SSSD) or `winbind`.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-11 10:32:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1682278 | ||
Bug Blocks: |
Description
Patrik Kis
2018-12-07 15:47:07 UTC
I think the underlying reason for this is that logind does not re-read /etc/nsswitch.conf and hence is not aware of nss-winbind and the new users served by winbind. I can make the test pass with: diff --git a/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh b/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh index ca83832..01a5875 100755 --- a/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh +++ b/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh @@ -133,6 +133,7 @@ rlJournalStart # On slower machines the sssd and mainly winbind daemon may not be ready immediately echo "Winbind is slooow. Give it some time. Sleeping for 20 seconds." sleep 30 + rlRun "systemctl restart systemd-logind" rlRun "realmd_check_join $realmd_USER $realmd_USER_PASS $realmd_REALM_DOMAIN_AD" # Check the home folder location (it should be user@domain all in lowercase) rlRun "getent passwd $realmd_USER@$realmd_REALM_DOMAIN_AD &>id.log" Not sure what is the best way forward here. authselect can signal/restart logind whenever /etc/nsswitch.conf is touched or just print a message and let the callers do this? Ah, I forgot to say, this is not a logind issue, it will affect all long running processes which were started before authselect changed /etc/nsswitch.conf and using authconfig would lead to the same issue as well. From nsswitch.conf man page: """ Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. """ Seeing similar issue in ipa-hbac-func test suite, where 'su' command fails Example:: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: user access to master for ftp, on master, add rule :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 15:43:47 ] :: [ BEGIN ] :: Kinit as admin user :: actually running 'kinitAs admin Secret123' Password for admin: Default principal: admin :: [ 15:43:48 ] :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ 15:43:48 ] :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) :: [ 15:43:48 ] :: [ BEGIN ] :: Running 'mkdir -p /home/user1' :: [ 15:43:48 ] :: [ PASS ] :: Command 'mkdir -p /home/user1' (Expected 0, got 0) :: [ 15:43:48 ] :: [ BEGIN ] :: Running 'chmod 700 /home/user1' :: [ 15:43:48 ] :: [ PASS ] :: Command 'chmod 700 /home/user1' (Expected 0, got 0) :: [ 15:43:48 ] :: [ BEGIN ] :: Running 'create_ipauser user1 user1 user1 ' :: [ 15:43:48 ] :: [ LOG ] :: create ipa user: [user1], firstname: [user1], lastname: [user1] password: [testpw123] :: [ 15:43:50 ] :: [ LOG ] :: create ipa user: [user1], password: [testpw123] :: [ 15:43:50 ] :: [ BEGIN ] :: add test user account :: actually running 'echo dummy123 | ipa user-add user1 --first 'user1' --last 'user1' --password ' ------------------ Added user "user1" ------------------ User login: user1 First name: user1 Last name: user1 Full name: user1 user1 Display name: user1 user1 Initials: uu Home directory: /home/user1 GECOS: user1 user1 Login shell: /bin/sh Principal name: user1 Principal alias: user1 User password expiration: 20190110101351Z Email address: user1 UID: 1752800006 GID: 1752800006 Password: True Member of groups: ipausers Kerberos keys available: True :: [ 15:43:52 ] :: [ PASS ] :: add test user account (Expected 0, got 0) :: [ 15:43:54 ] :: [ BEGIN ] :: Running 'FirstKinitAs user1 dummy123 testpw123' Using default cache: 0 Using principal: user1 Password for user1: Password expired. You must change it now. Enter new password: Enter it again: Authenticated to Kerberos v5 Default principal: user1 :: [ 15:43:55 ] :: [ LOG ] :: kinit as user1 with new password testpw123 was successful. :: [ 15:43:55 ] :: [ PASS ] :: Command 'FirstKinitAs user1 dummy123 testpw123' (Expected 0, got 0) user1 :: [ 15:43:55 ] :: [ PASS ] :: Command 'create_ipauser user1 user1 user1 ' (Expected 0, got 0) :: [ 15:43:55 ] :: [ BEGIN ] :: Running 'chown user1.user1 /home/user1' :: [ 15:43:55 ] :: [ PASS ] :: Command 'chown user1.user1 /home/user1' (Expected 0, got 0) :: [ 15:43:55 ] :: [ LOG ] :: Adding Dummy Code-Debugging :: [ 15:43:56 ] :: [ BEGIN ] :: Restarting systemd login service :: actually running 'systemctl restart systemd-logind' :: [ 15:43:56 ] :: [ PASS ] :: Restarting systemd login service (Expected 0, got 0) :: [ 15:43:56 ] :: [ BEGIN ] :: Running 'sleep 120' :: [ 15:45:56 ] :: [ PASS ] :: Command 'sleep 120' (Expected 0, got 0) :: [ 15:45:56 ] :: [ LOG ] :: Dummy Code-Debugging end :: [ 15:45:56 ] :: [ BEGIN ] :: Running 'su - user1 -c 'pwd'' su: cannot open session: System error :: [ 15:45:56 ] :: [ FAIL ] :: Command 'su - user1 -c 'pwd'' (Expected 0, got 1) Logs: [root@vm-idm-020 ~]# cat /var/log/secure | grep 'su' Jan 10 15:40:38 vm-idm-020 su[9611]: pam_unix(su-l:session): session opened for user user1 by (uid=0) Jan 10 15:40:38 vm-idm-020 su[9611]: pam_unix(su-l:session): session closed for user user1 Jan 10 15:40:39 vm-idm-020 sshd[9677]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user1 Jan 10 15:40:51 vm-idm-020 su[9837]: pam_unix(su-l:session): session opened for user user1 by (uid=0) Jan 10 15:40:51 vm-idm-020 su[9837]: pam_unix(su-l:session): session closed for user user1 Jan 10 15:41:08 vm-idm-020 su[9991]: pam_unix(su-l:session): session opened for user user2 by (uid=0) Jan 10 15:41:08 vm-idm-020 su[9991]: pam_unix(su-l:session): session closed for user user2 Jan 10 15:41:25 vm-idm-020 su[10149]: pam_unix(su-l:session): session opened for user user3 by (uid=0) Jan 10 15:41:25 vm-idm-020 su[10149]: pam_unix(su-l:session): session closed for user user3 Jan 10 15:41:31 vm-idm-020 sshd[10247]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user1 Jan 10 15:41:32 vm-idm-020 sshd[10303]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user3 Jan 10 15:45:56 vm-idm-020 su[11289]: pam_systemd(su-l:session): Failed to create session: Start job for unit user failed with 'failed' Jan 10 15:45:56 vm-idm-020 su[11289]: pam_unix(su-l:session): session opened for user user1 by (uid=0) Jan 10 15:48:04 vm-idm-020 su[11518]: pam_systemd(su-l:session): Failed to create session: Start job for unit user failed with 'failed' Jan 10 15:48:04 vm-idm-020 su[11518]: pam_unix(su-l:session): session opened for user user2 by (uid=0) This seems to be the same a bug reported against IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1664974 The commit that brought this issue up has been reverted [1]. But it should still be documented that changing nsswitch.conf requires reboot. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Changes to nsswitch.conf requires reboot of the machine/daemons for the daemons to pick it up. Automatic reload of nsswitch table will be implemented in glibc [1] and authselect can not do anything about it besides documenting it. Documentation has been provided and this particular issue has been worked around in RHEL8.0. Thus closing as CURRENTRELEASE. [1] https://bugzilla.redhat.com/show_bug.cgi?id=132608 |