Bug 1668025
| Summary: | ipa-client installation failing with error "Unable to get current fscreate selinux context!" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | authselect | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Steeve Goveas <sgoveas> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | abroy, dlavu, dpal, fcami, jhrozek, jwboyer, mvarun, pvoborni, rcritten, sgadekar, tscherf |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 8.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | authselect-1.0-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-14 01:01:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Based on the client log it seems to be more related to authselect but seeing the whole original ipaserver install log would be more useful. Also seeing the SELinux AVCs would be handy. Given it is failing during authselect re-assigning there for further analysis. Internally, authselect now calls selinux api to set proper label on generated files (setfscreatecon [1][2]). This is most probably duplicate of [3]. I will setup rhel8 machine and try to reproduce but is this perhaps in container as well? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1664650 [2] https://github.com/pbrezina/authselect/commit/9451dd55c43ce704e520dd4d62676466cc68b71e#diff-4f5513ba0e1cbc67450a675d4d7c228dR118 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1667524 Thank you. So the problem is that the selinux is disabled on the machine (I tried the client machine). If it is enforcing/permissive then it works. I would except that selinux api would be able to deal with this but apparently not. Asking for exception. Authselect does not work when SELinux is disabled. Internally, authselect generates some temporary files which are later renamed to pam/nsswitch configuration files. To do this, authselect obtains default selinux context so it creates these temporary files with proper selinux label. However, when selinux is disabled this step fails and cause authselect to fail. As a result authselect can not be used when selinux is disabled. Steps to reproduce: 1. Disable selinux (set SELINUX=disabled in /etc/selinux/config) 2. Run 'authselect select sssd --force' 3. See that it failed (it actually produces a core dump) Thank you. I'll push new build once this bug gets exception. Rationale for exception can be found in comment #9: https://bugzilla.redhat.com/show_bug.cgi?id=1668025#c9 *** Bug 1677832 has been marked as a duplicate of this bug. *** verified with following data:
[root@auto-hv-02-guest10 ~]# rpm -q authselect
authselect-1.0-12.el8.x86_64
[root@auto-hv-02-guest10 ~]#
[root@auto-hv-02-guest10 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@auto-hv-02-guest10 ~]# rpm -q authconfig
package authconfig is not installed
[root@auto-hv-02-guest10 ~]# rpm -q authselect
authselect-1.0-12.el8.x86_64
[root@auto-hv-02-guest10 ~]# rpm -q sssd
sssd-2.0.0-43.el8.x86_64
[root@auto-hv-02-guest10 ~]# sestatus
SELinux status: disabled
[root@auto-hv-02-guest10 ~]# realm join CHILD.SSSD2016.COM -v
* Resolving: _ldap._tcp.child.sssd2016.com
* Performing LDAP DSE lookup on: 192.168.1.12
* Successfully discovered: child.sssd2016.com
Password for Administrator:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
* Joining using a truncated netbios name: AUTO-HV-02-GUES
* LANG=C /usr/sbin/adcli join --verbose --domain child.sssd2016.com --domain-realm CHILD.SSSD2016.COM --domain-controller 192.168.1.12 --computer-name AUTO-HV-02-GUES --login-type user --login-user Administrator --stdin-password
* Using domain name: child.sssd2016.com
* Using computer account name: AUTO-HV-02-GUES
* Using domain realm: child.sssd2016.com
* Sending netlogon pings to domain controller: cldap://192.168.1.12
* Received NetLogon info from: phoebe.child.sssd2016.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-WDWfC3/krb5.d/adcli-krb5-conf-TFMvwW
* Authenticated as user: Administrator.COM
* Looked up short domain name: CHILD
* Looked up domain SID: S-1-5-21-2207362110-3694979062-1585887494
* Using fully qualified name: auto-hv-02-guest10.child.sssd2016.com
* Using domain name: child.sssd2016.com
* Using computer account name: AUTO-HV-02-GUES
* Using domain realm: child.sssd2016.com
* Enrolling computer name: AUTO-HV-02-GUES
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for AUTO-HV-02-GUES$ at: CN=AUTO-HV-02-GUES,CN=Computers,DC=child,DC=sssd2016,DC=com
* Sending netlogon pings to domain controller: cldap://1192.168.1.12
* Received NetLogon info from: phoebe.child.sssd2016.com
* Set computer password
* Retrieved kvno '5' for computer account in directory: CN=AUTO-HV-02-GUES,CN=Computers,DC=child,DC=sssd2016,DC=com
* Discovered which keytab salt to use
* Added the entries to the keytab: AUTO-HV-02-GUES$@CHILD.SSSD2016.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/AUTO-HV-02-GUES.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: host/auto-hv-02-guest10.child.sssd2016.com.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/AUTO-HV-02-GUES.COM: FILE:/etc/krb5.keytab
* Added the entries to the keytab: RestrictedKrbHost/auto-hv-02-guest10.child.sssd2016.com.COM: FILE:/etc/krb5.keytab
* /usr/bin/systemctl enable sssd.service
Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service.
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2019-02-21-06-44-00.oJ0nKF
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled
- systemctl enable oddjobd.service
- systemctl start oddjobd.service
* Successfully enrolled machine in realm
[root@auto-hv-02-guest10 ~]# cat /etc/pam.d/password-auth
# Generated by authselect on Thu Feb 21 01:44:00 2019
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
~]# systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-02-21 01:43:43 EST; 5min ago
Main PID: 11746 (sssd)
Tasks: 5 (limit: 24009)
Memory: 37.7M
CGroup: /system.slice/sssd.service
├─11746 /usr/sbin/sssd -i --logger=files
├─11747 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
├─11748 /usr/libexec/sssd/sssd_be --domain child.sssd2016.com --uid 0 --gid 0 --logger=files
├─11749 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─11750 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Feb 21 01:43:43 auto-hv-02-guest10.child.sssd2016.com sssd[pam][11750]: Starting up
Feb 21 01:43:43 auto-hv-02-guest10.child.sssd2016.com systemd[1]: Started System Security Services Daemon.
|
Description of problem: ipa-client installation failing with error [error] Unable to get current fscreate selinux context! [error] Unable to create temporary file for [/var/lib/authselect/system-auth] [5]: Input/output error [error] Unable to write temporary file [/var/lib/authselect/system-auth] [5]: Input/output error [error] Unable to write generated system files [5]: Input/output error [error] Unable to activate profile [sssd] [5]: Input/output error Version-Release number of selected component (if applicable): ipa-client-4.7.1-7.module+el8+2554+7a4ca32b.x86_64 authselect-1.0-11.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run ipa-server-install 2. Step ipa-client-install fail Actual results: Install failed Expected results: Install should succeed Additional info: Build RHEL-8.0.0-20190121.n.0 [root@kvm-04-guest13 ~]# ipa-client-install -U --domain=testrelma.test --realm=TESTRELMA.TEST -p admin -w <XXXXXXXXX> This program will set up IPA client. Version 4.7.1 Discovery was successful! Client hostname: kvm-04-guest13.testrelma.test Realm: TESTRELMA.TEST DNS Domain: testrelma.test IPA Server: vm-idm-021.testrelma.test BaseDN: dc=testrelma,dc=test Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELMA.TEST Issuer: CN=Certificate Authority,O=TESTRELMA.TEST Valid From: 2019-01-21 14:13:36 Valid Until: 2039-01-21 14:13:36 Enrolled in IPA realm TESTRELMA.TEST Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELMA.TEST Systemwide CA database updated. Hostname (kvm-04-guest13.testrelma.test) does not have A/AAAA record. Incorrect reverse record(s): 10.16.68.191 is pointing to kvm-04-guest13.rhts.eng.bos.redhat.com. instead of kvm-04-guest13.testrelma.test. 2620:52:0:1040:5054:ff:fe50:413 is pointing to kvm-04-guest13.rhts.eng.bos.redhat.com. instead of kvm-04-guest13.testrelma.test. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation may not be able to revert to the original state. CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'] returned non-zero exit status -6: '[error] Unable to get current fscreate selinux context!\n[error] Unable to create temporary file for [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write temporary file [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write generated system files [5]: Input/output error\n[error] Unable to activate profile [sssd] [5]: Input/output error\nfree(): double free detected in tcache 2\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ############################## /var/log/ipaclient-install.log ############################# 2019-01-21T14:54:28Z DEBUG stderr= 2019-01-21T14:54:28Z DEBUG Starting external process 2019-01-21T14:54:28Z DEBUG args=['/usr/bin/authselect', 'current', '--raw'] 2019-01-21T14:54:28Z DEBUG Process finished, return code=2 2019-01-21T14:54:28Z DEBUG stdout=No existing configuration detected. 2019-01-21T14:54:28Z DEBUG stderr= 2019-01-21T14:54:28Z DEBUG Current configuration not managed by authselect 2019-01-21T14:54:28Z WARNING WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation may not be able to revert to the original state. 2019-01-21T14:54:28Z DEBUG Starting external process 2019-01-21T14:54:28Z DEBUG args=['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'] 2019-01-21T14:54:28Z DEBUG Process finished, return code=-6 2019-01-21T14:54:28Z DEBUG stdout= 2019-01-21T14:54:28Z DEBUG stderr=[error] Unable to get current fscreate selinux context! [error] Unable to create temporary file for [/var/lib/authselect/system-auth] [5]: Input/output error [error] Unable to write temporary file [/var/lib/authselect/system-auth] [5]: Input/output error [error] Unable to write generated system files [5]: Input/output error [error] Unable to activate profile [sssd] [5]: Input/output error free(): double free detected in tcache 2 2019-01-21T14:54:28Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3799, in main install(self) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2526, in install _install(options) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3028, in _install sudo=options.conf_sudo File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/tasks.py", line 213, in modify_nsswitch_pam_stack auth_config.configure(sssd, mkhomedir, statestore, sudo) File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/authconfig.py", line 139, in configure ipautil.run(cmd) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 574, in run p.returncode, arg_string, output_log, error_log 2019-01-21T14:54:28Z DEBUG The ipa-client-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'] returned non-zero exit status -6: '[error] Unable to get current fscreate selinux context!\n[error] Unable to create temporary file for [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write temporary file [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write generated system files [5]: Input/output error\n[error] Unable to activate profile [sssd] [5]: Input/output error\nfree(): double free detected in tcache 2\n') 2019-01-21T14:54:28Z ERROR CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'] returned non-zero exit status -6: '[error] Unable to get current fscreate selinux context!\n[error] Unable to create temporary file for [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write temporary file [/var/lib/authselect/system-auth] [5]: Input/output error\n[error] Unable to write generated system files [5]: Input/output error\n[error] Unable to activate profile [sssd] [5]: Input/output error\nfree(): double free detected in tcache 2\n') 2019-01-21T14:54:28Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information