Bug 987491

Summary: Join to the second domain ovewrites the previous one
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED CURRENTRELEASE QA Contact: David Spurek <dspurek>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: dspurek, ebenes, pkis, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.14.4-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:52:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 988207    
Bug Blocks:    
Attachments:
Description Flags
Fix up the [sssd] section in sssd.conf if it's screwed up none

Description David Spurek 2013-07-23 13:44:13 UTC
Description of problem:
Join to the second domain overwrites the previous one. Set manage-system = no to AD domain: 
[security.baseos.qe]
manage-system = no

to /etc/realmd.conf. Join to this AD domain with manage-system = no, then join to IPA domain. Second join to IPA domain overwrites sssd.conf.


Version-Release number of selected component (if applicable):
realmd-0.14.2-3.el7

How reproducible:
always

Steps to Reproduce:
1. set to /etc/realmd.conf
[security.baseos.qe]
manage-system = no

2. systemctl restart realmd.service
3. realm join security.baseos.qe
4. realm join ipa.baseos.qe

Actual results:
realm list and sssd.conf contain only configuration for ipa domain

Expected results:
both domains should be listed

Additional info:
realm list and sssd.conf after first join:

[test]realm list
security.baseos.qe
  type: kerberos
  realm-name: SECURITY.BASEOS.QE
  domain-name: security.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U.qe
  login-policy: allow-permitted-logins
  permitted-logins: 
  permitted-groups: 
  domain-name: security.baseos.qe


[test]cat /etc/sssd/sssd.conf

[sssd]
domains = security.baseos.qe

[nss]
default_shell = /bin/bash

[domain/security.baseos.qe]
ad_domain = security.baseos.qe
krb5_realm = SECURITY.BASEOS.QE
realmd_tags = 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = simple


realm join, realm list and sssd.conf after second join:

realm -v join --user=admin ipa.baseos.qe
 * Resolving: _ldap._tcp.ipa.baseos.qe
 * Performing LDAP DSE lookup on: 10.34.24.252
 * Successfully discovered: ipa.baseos.qe
Password for admin: 
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain ipa.baseos.qe --realm IPA.BASEOS.QE --mkhomedir --enable-dns-updates --unattended --principal admin -W --force-ntpd
Discovery was successful!
Hostname: client.ipa.baseos.qe
Realm: IPA.BASEOS.QE
DNS Domain: ipa.baseos.qe
IPA Server: server.ipa.baseos.qe
BaseDN: dc=ipa,dc=baseos,dc=qe
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.BASEOS.QE
    Issuer:      CN=Certificate Authority,O=IPA.BASEOS.QE
    Valid From:  Tue Apr 30 14:33:21 2013 UTC
    Valid Until: Sat Apr 30 14:33:21 2033 UTC

Enrolled in IPA realm IPA.BASEOS.QE
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.BASEOS.QE
trying https://server.ipa.baseos.qe/ipa/xml
Forwarding 'env' to server 'https://server.ipa.baseos.qe/ipa/xml'
Hostname (client.ipa.baseos.qe) not found in DNS
DNS server record set to: client.ipa.baseos.qe -> 192.168.100.250
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server 'https://server.ipa.baseos.qe/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service
 * Successfully enrolled machine in realm

[test]realm list
ipa.baseos.qe
  type: kerberos
  realm-name: IPA.BASEOS.QE
  domain-name: ipa.baseos.qe
  configured: kerberos-member
  server-software: freeipa
  client-software: sssd
  required-package: freeipa-client
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  login-formats: %U.qe
  login-policy: allow-realm-logins


[test]cat /etc/sssd/sssd.conf
[domain/ipa.baseos.qe]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.baseos.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.ipa.baseos.qe
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, server.ipa.baseos.qe
ldap_tls_cacert = /etc/ipa/ca.crt
realmd_tags = manages-system
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = ipa.baseos.qe
[nss]
default_shell = /bin/bash

[pam]

[sudo]

[autofs]

[ssh]

[pac]

Comment 1 David Spurek 2013-07-23 13:44:36 UTC
results with package realmd-0.14.3-1.el7 are the same

Comment 2 David Spurek 2013-07-23 13:46:17 UTC
Reverse order of join commands works correctly with the same realmd.conf.

Comment 3 Stef Walter 2013-07-24 07:58:20 UTC
Could you try adding the following line to the [sssd] section after the AD join (but before the IPA join)?

config_file_version = 2

Comment 4 Stef Walter 2013-07-24 08:01:13 UTC
By the way, this section of your /etc/sssd/sssd.conf file after the first step looks completely broken:

[sssd]
domains = security.baseos.qe

Do you know how it got there? When realmd creates a new sssd.conf it adds the following lines:

[sssd]
services = nss, pam
config_file_version = 2

Comment 5 David Spurek 2013-07-24 12:35:49 UTC
My test environment was little broken before test case, concretly /etc/sssd/sssd.conf.

sssd.conf before the test was :

[sssd]
domains =

This causes fail with second realm join. Maybe it is not a bug due to broken configuration before the test, but it strange that both joins passes correctly, but only second domain is configure.

Comment 6 David Spurek 2013-07-24 13:00:54 UTC
(In reply to Stef Walter from comment #3)
> Could you try adding the following line to the [sssd] section after the AD
> join (but before the IPA join)?
> 
> config_file_version = 2

adding config_file_version = 2 after first join doesn't help, because sssd couldn't be restarted with this configuration:

[test]service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details.
[test]systemctl status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: failed (Result: exit-code) since Wed 2013-07-24 08:57:55 EDT; 12s ago
  Process: 30881 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)

Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: NSCD socket was detected and seems to be configured to cache some of the database...these.
Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: SSSD couldn't load the configuration database [22]: Invalid argument.
Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4
Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon.
Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state.

Comment 7 Stef Walter 2013-07-24 13:32:43 UTC
Why does SSSD say this:

Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: NSCD socket was detected and seems to be configured to cache some of the database...these.

Do you have NSCD running?

Comment 8 David Spurek 2013-07-25 05:46:35 UTC
NSCD probably ran, now I am trying it on machine without NSCD, but result is the same:


1. adding config_file_version = 2 
2.

[test]service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details.

[test]systemctl status sssd.service
sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
   Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago
  Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)

Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon.
Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state.

[test]cat /etc/sssd/sssd.conf
[sssd]
domains = security.baseos.qe
config_file_version = 2

[nss]
default_shell = /bin/bash

[domain/security.baseos.qe]
ad_domain = security.baseos.qe
krb5_realm = SECURITY.BASEOS.QE
realmd_tags = 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = simple


--------------------------
If I add 'services = nss, pam' to sssd.conf, it is restarted correctly and sssd.cond is configured correctly after second join. Something in realmd.conf is broken and creates broken sssd.conf.

Can you reproduce my issue Stef?

Comment 9 Stef Walter 2013-07-25 06:10:54 UTC
(In reply to David Spurek from comment #8)
> If I add 'services = nss, pam' to sssd.conf, it is restarted correctly and
> sssd.cond is configured correctly after second join. Something in
> realmd.conf is broken and creates broken sssd.conf.
> 
> Can you reproduce my issue Stef?

Yes, but realmd only adds the services and config_file_version lines if the [sssd] section does not already exist. Why does that section exist without those lines?

I guess we could always add those lines, and try to repair broken sssd.conf files. But this is a losing game, because there are so many ways that an sssd.conf might be broken. 

How did it get broken?


I've also filed bug #988207, because sssd isn't being very helpful with telling us what's wrong.

Comment 10 David Spurek 2013-07-25 07:05:33 UTC
I don't know how config file get broken, but it happend and I find this problematic test case.

Is it possible to check correctness of [sssd] section? Especially check if section contains 'services = ...' and 'config_file_version = 2' parameters?

Comment 11 Stef Walter 2013-07-25 07:52:41 UTC
Created attachment 778105 [details]
Fix up the [sssd] section in sssd.conf if it's screwed up

Comment 12 Stef Walter 2013-08-07 08:10:01 UTC
Attachment 778105 [details] pushed as 8b83dd8 - Fix up the [sssd] section in sssd.conf if it's screwed up

Comment 14 Ludek Smid 2014-06-13 12:52:35 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.