Bug 2417703

Summary: Cannot login with IPA account when freeipa-client is bundled in bootc image
Product: [Fedora] Fedora Reporter: William Oprandi <william.oprandi>
Component: ostreeAssignee: Colin Walters <walters>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 43CC: abokovoy, amurdaca, atikhono, coreos-sig, dustymabe, ftrivino, ipa-maint, jmarrero, jonathan, lslebodn, mhjacks, miabbott, pbrezina, rcritten, rob, robert-fedora, sbose, ssorce, sssd-maintainers, travier, twoerner, walters
Target Milestone: ---Keywords: Desktop
Target Release: ---Flags: atikhono: needinfo? (walters)
fedora-admin-xmlrpc: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SSSD logs
none
SSSD debug level 9 none

Description William Oprandi 2025-11-28 14:49:56 UTC 
Building custom silverblue image :

```
ARG FEDORA_VERSION=43
FROM quay.io/fedora-ostree-desktops/silverblue:$FEDORA_VERSION

RUN dnf install -y freeipa-client
COPY tmpfile.conf /usr/lib/tmpfiles.d/ipa.conf # Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2332433 

RUN bootc container lint
```

tmpfile.conf (Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2332433)
```
d /var/lib/certmonger 0755 root root
d /var/lib/certmonger/cas
d /var/lib/certmonger/local
d /var/lib/certmonger/requests
d /var/lib/ipa-client 0755 root root
d /var/lib/ipa-client/pki
d /var/lib/ipa-client/sysrestore
```

I'm able to enroll my host after the first boot with `realm join`. But login with GDM does not work.

```
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: seat unloaded, so trying to set loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user manager now loaded, proceeding with fetch user request for user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finding user 'william.oprandi' state 2
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Looking for user 'william.oprandi' in accounts service
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: already loaded, so not setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: Found object path of user 'william.oprandi': /org/freedesktop/Accounts/User1462
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finding user 'william.oprandi' state 3
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user 'william.oprandi' fetched
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user william.oprandi is now loaded
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: user william.oprandi was not yet known, adding it
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: tracking user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: not yet loaded, so not emitting user-added signal
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: no pending users, trying to set loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: already loaded, so not setting loaded property
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionSettings: saved session is  (type )
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionSettings: saved language is
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: queuing setup for user: william.oprandi (null)
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: finished handling request for user 'william.oprandi'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: accountsservice: ActUserManager: unrefing manager owned by fetch user request
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to SETUP_COMPLETE
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: initializing PAM; service=gdm-password username=william.oprandi seat=seat0
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0'
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state SETUP_COMPLETE
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to AUTHENTICATED
Nov 28 14:16:32 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: authenticating user william.oprandi
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: 1 new messages received from PAM
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: username is 'william.oprandi'
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: old-username='william.oprandi' new-username='william.oprandi'
Nov 28 14:16:37 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: received pam message of type 1 with payload 'Mot de passe�: '
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: trying to get updated username
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: PAM conversation returning 0: Succ�s
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Nov 28 14:16:43 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/us>
Nov 28 14:16:44 qemu-standardpcq35ich92009-notspecified.fr.otera.lan sssd_kcm[3951]: Starting up
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=william.oprandi
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1100 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication gr>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: gkr-pam: unable to locate daemon control file
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: gkr-pam: stashed password to try later in open session
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state AUTHENTICATED
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: trying to get updated username
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: username is 'william.oprandi'
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: old-username='william.oprandi' new-username='william.oprandi'
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: attempting to change state to AUTHORIZED
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" >
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit: BPF prog-id=103 op=UNLOAD
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1101 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting granto>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:account): Access denied for user william.oprandi: 4 (Erreur syst�me)
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan audit[3816]: AUDIT1112 pid=3816 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=1462 exe="/usr/libex>
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: user is not authorized to log in: Erreur syst�me
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: uninitializing PAM
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: Gdm: GdmSessionWorker: state NONE
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: stopping conversation gdm-password
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSessionWorkerJob: Stopping job pid:3816
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmCommon: sending signal 15 to process 3816
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSessionWorkerJob: child (pid:3816) done (status:0)
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: Worker job exited: 0
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmSession: Emitting conversation-stopped signal
Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm[1312]: Gdm: GdmManager: session conversation 'gdm-password' stopped

```


Reproducible: Always

Steps to Reproduce:
1. Build custom silverblue bootc image
2. Install on VM
3. realm join
4. Try to login with GDM
Actual Results:
Login does not work

Expected Results:
Login work

Additional Information:
If I install freeipa-client as layered package with rpm-ostree, it works.
Comment 1 Robert 2025-11-28 15:02:04 UTC 
Please compare with my setup using KDE. This works with freeipa and Kinoite. Maybe also a selinux issue?

https://gitlab.com/eu-os/eu-os.gitlab.io/-/snippets/4906744#L106
Comment 2 William Oprandi 2025-11-28 17:19:15 UTC 
selinux_provider = none in /etc/sssd/sssd.conf seems to "fix" the issue. This is not needed when freeipa-client is installed with rpm-ostree !

Thanks a lot as a workaround exists now !
Comment 3 Alexander Bokovoy 2025-11-29 08:28:24 UTC 
William, can you please provide the debug log of SSSD?

Nov 28 14:16:45 qemu-standardpcq35ich92009-notspecified.fr.otera.lan gdm-password][3816]: pam_sss(gdm-password:account): Access denied for user william.oprandi: 4 (Erreur syst�me)

We need to understand whether SSSD selinux provider is affected by a variant of https://github.com/ostreedev/ostree-rs-ext/issues/510.
Comment 4 William Oprandi 2025-12-01 14:19:00 UTC 
Created attachment 2116979 [details]
SSSD logs

The SSSD logs folder from restart to login failure
Comment 5 Alexander Bokovoy 2025-12-01 14:33:39 UTC 
Ok, looks like SELinux SSSD child is failing indeed:

   *  (2025-12-01 14:13:11): [be[fr.otera.lan]] [child_handler_setup] (0x2000): [RID#14] Setting up signal handler up for pid [4036]
   *  (2025-12-01 14:13:11): [be[fr.otera.lan]] [child_handler_setup] (0x2000): [RID#14] Signal handler set up for pid [4036]
..
(2025-12-01 14:13:11): [be[fr.otera.lan]] [child_sig_handler] (0x0020): [RID#14] child [4036] failed with status [1].

Unfortunately, the selinux_child.log is empty, so we don't know why this happened. My suspicion is that it is indeed an issue with SELinux library not being able to load its own database.
Comment 6 William Oprandi 2025-12-01 14:37:42 UTC 
Maybe you need I change the SSSD debug level ?
Comment 7 Alexander Bokovoy 2025-12-02 07:52:24 UTC 
Yes, please use 'debug_level = 9'.
Comment 8 William Oprandi 2025-12-02 09:56:02 UTC 
Created attachment 2117046 [details]
SSSD debug level 9

SSSD logs with sss_debuglevel 9 ran
Comment 9 Alexander Bokovoy 2025-12-02 10:26:01 UTC 
Thanks. I'm moving this bug to SSSD so that they can analyze what's happening.
Comment 10 Alexey Tikhonov 2025-12-02 11:54:30 UTC 
Hi,

could you please show output of
```
ls -lahZ /usr/libexec/sssd/
getcap /usr/libexec/sssd/*
```
?
Comment 11 William Oprandi 2025-12-02 14:27:51 UTC 
$ ls -lahZ /usr/libexec/sssd/
total 2,5M
drwxr-xr-x.  2 root root system_u:object_r:bin_t:s0                        442  1 janv.  1970 .
drwxr-xr-x. 53 root root system_u:object_r:bin_t:s0                       8,0K  1 janv.  1970 ..
-rwxr-x---.  1 root sssd system_u:object_r:bin_t:s0                       137K  1 janv.  1970 krb5_child
-rwxr-x---.  1 root sssd system_u:object_r:bin_t:s0                        48K  1 janv.  1970 ldap_child
-rwxr-xr-x.  1 root root system_u:object_r:ipa_otpd_exec_t:s0              60K  1 janv.  1970 oidc_child
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        72K  1 janv.  1970 p11_child
-rwxr-xr-x.  1 root root system_u:object_r:ipa_otpd_exec_t:s0              56K  1 janv.  1970 passkey_child
-rwxr-x---.  1 root root system_u:object_r:sssd_selinux_manager_exec_t:s0  36K  1 janv.  1970 selinux_child
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                         73  1 janv.  1970 sss_analyze
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 179K  1 janv.  1970 sssd_autofs
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                       248K  1 janv.  1970 sssd_be
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        16K  1 janv.  1970 sssd_check_socket_activated_responders
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 276K  1 janv.  1970 sssd_ifp
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 211K  1 janv.  1970 sssd_kcm
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 253K  1 janv.  1970 sssd_nss
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 183K  1 janv.  1970 sssd_pac
-rwxr-x---.  1 root sssd system_u:object_r:sssd_exec_t:s0                 280K  1 janv.  1970 sssd_pam
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 187K  1 janv.  1970 sssd_ssh
-rwxr-xr-x.  1 root root system_u:object_r:sssd_exec_t:s0                 187K  1 janv.  1970 sssd_sudo
-rwxr-xr-x.  1 root root system_u:object_r:bin_t:s0                        12K  1 janv.  1970 sss_signal




$ getcap /usr/libexec/sssd/*
/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/selinux_child cap_setgid,cap_setuid=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p
Comment 12 Alexey Tikhonov 2025-12-02 14:49:18 UTC 
The reason is:
```
-rwxr-x---.  1 root root system_u:object_r:sssd_selinux_manager_exec_t:s0  36K  1 janv.  1970 selinux_child
```
  --  'sssd_be' run under 'sssd' user can't execute `selinux_child`.

It should be ':sssd' owned, as other privileged helpers (`krb5_child`, `ldap_child`, `sssd_pam`)

spec-file installs it properly - as 'root:sssd':
https://src.fedoraproject.org/rpms/sssd/blob/rawhide/f/sssd.spec#_801

I guess the problem is that you add it later:
```
RUN dnf install -y freeipa-client
```
but not sure yet what exactly is broken so that it ends up with a wrong ownership.
Comment 13 Alexander Bokovoy 2025-12-02 15:06:12 UTC 
So yes, this is the same issue as it was in https://github.com/ostreedev/ostree-rs-ext/issues/654 which was supposed to be fixed with https://github.com/ostreedev/ostree-rs-ext/pull/679.
Comment 14 Alexey Tikhonov 2025-12-02 16:26:36 UTC 
(In reply to Alexander Bokovoy from comment #13)
> So yes, this is the same issue as it was in
> https://github.com/ostreedev/ostree-rs-ext/issues/654 which was supposed to
> be fixed with https://github.com/ostreedev/ostree-rs-ext/pull/679.

Actually this looks different.
ostree-rs-ext/issues/654 was about lost file capabilities.
In this case it's wrong ownership.
Comment 15 Alexey Tikhonov 2025-12-03 11:28:45 UTC 
Colin, could you please take a look at this?
Comment 16 Alexey Tikhonov 2025-12-22 13:47:27 UTC 
(In reply to Alexey Tikhonov from comment #15)
> Colin, could you please take a look at this?

Changing component for better visibility.
Please feel free to re-assign bug with explanation if this is SSSD bug.