Bug 987491
Summary: | Join to the second domain ovewrites the previous one | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> | ||||
Component: | realmd | Assignee: | Stef Walter <stefw> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.0 | CC: | dspurek, ebenes, pkis, stefw | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | realmd-0.14.4-1.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-13 12:52:35 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 988207 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
David Spurek
2013-07-23 13:44:13 UTC
results with package realmd-0.14.3-1.el7 are the same Reverse order of join commands works correctly with the same realmd.conf. Could you try adding the following line to the [sssd] section after the AD join (but before the IPA join)? config_file_version = 2 By the way, this section of your /etc/sssd/sssd.conf file after the first step looks completely broken: [sssd] domains = security.baseos.qe Do you know how it got there? When realmd creates a new sssd.conf it adds the following lines: [sssd] services = nss, pam config_file_version = 2 My test environment was little broken before test case, concretly /etc/sssd/sssd.conf. sssd.conf before the test was : [sssd] domains = This causes fail with second realm join. Maybe it is not a bug due to broken configuration before the test, but it strange that both joins passes correctly, but only second domain is configure. (In reply to Stef Walter from comment #3) > Could you try adding the following line to the [sssd] section after the AD > join (but before the IPA join)? > > config_file_version = 2 adding config_file_version = 2 after first join doesn't help, because sssd couldn't be restarted with this configuration: [test]service sssd restart Redirecting to /bin/systemctl restart sssd.service Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details. [test]systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: failed (Result: exit-code) since Wed 2013-07-24 08:57:55 EDT; 12s ago Process: 30881 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4) Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: NSCD socket was detected and seems to be configured to cache some of the database...these. Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: SSSD couldn't load the configuration database [22]: Invalid argument. Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4 Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon. Jul 24 08:57:55 client.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state. Why does SSSD say this: Jul 24 08:57:55 client.ipa.baseos.qe sssd[30881]: NSCD socket was detected and seems to be configured to cache some of the database...these. Do you have NSCD running? NSCD probably ran, now I am trying it on machine without NSCD, but result is the same: 1. adding config_file_version = 2 2. [test]service sssd restart Redirecting to /bin/systemctl restart sssd.service Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details. [test]systemctl status sssd.service sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: failed (Result: exit-code) since Thu 2013-07-25 01:37:49 EDT; 12s ago Process: 20769 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4) Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe sssd[20769]: SSSD couldn't load the configuration database [22]: Invalid argument. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: sssd.service: control process exited, code=exited status=4 Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Failed to start System Security Services Daemon. Jul 25 01:37:49 x86-64-v06.ipa.baseos.qe systemd[1]: Unit sssd.service entered failed state. [test]cat /etc/sssd/sssd.conf [sssd] domains = security.baseos.qe config_file_version = 2 [nss] default_shell = /bin/bash [domain/security.baseos.qe] ad_domain = security.baseos.qe krb5_realm = SECURITY.BASEOS.QE realmd_tags = cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u simple_allow_users = $ access_provider = simple -------------------------- If I add 'services = nss, pam' to sssd.conf, it is restarted correctly and sssd.cond is configured correctly after second join. Something in realmd.conf is broken and creates broken sssd.conf. Can you reproduce my issue Stef? (In reply to David Spurek from comment #8) > If I add 'services = nss, pam' to sssd.conf, it is restarted correctly and > sssd.cond is configured correctly after second join. Something in > realmd.conf is broken and creates broken sssd.conf. > > Can you reproduce my issue Stef? Yes, but realmd only adds the services and config_file_version lines if the [sssd] section does not already exist. Why does that section exist without those lines? I guess we could always add those lines, and try to repair broken sssd.conf files. But this is a losing game, because there are so many ways that an sssd.conf might be broken. How did it get broken? I've also filed bug #988207, because sssd isn't being very helpful with telling us what's wrong. I don't know how config file get broken, but it happend and I find this problematic test case. Is it possible to check correctness of [sssd] section? Especially check if section contains 'services = ...' and 'config_file_version = 2' parameters? Created attachment 778105 [details]
Fix up the [sssd] section in sssd.conf if it's screwed up
Attachment 778105 [details] pushed as 8b83dd8 - Fix up the [sssd] section in sssd.conf if it's screwed up
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |