Bug 1309700 - Process /usr/sbin/winbindd was killed by signal 6 [NEEDINFO]
Summary: Process /usr/sbin/winbindd was killed by signal 6
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 7.3
Assignee: IPA Maintainers
QA Contact: Namita Soman
Depends On:
Blocks: 1359079
TreeView+ depends on / blocked
Reported: 2016-02-18 14:04 UTC by Sudhir Menon
Modified: 2016-11-04 05:51 UTC (History)
12 users (show)

Fixed In Version: ipa-4.4.0-6.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:51:18 UTC
Target Upstream Version:
ohudlick: needinfo? (vanhoof)
ohudlick: needinfo? (snagar)

Attachments (Terms of Use)
sos report for the failure (1.32 MB, application/x-xz)
2016-02-18 14:04 UTC, Sudhir Menon
no flags Details
samba log-1 (1.36 MB, text/plain)
2016-02-19 11:04 UTC, Sudhir Menon
no flags Details
messages (81.43 KB, text/plain)
2016-02-19 11:05 UTC, Sudhir Menon
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-02-18 14:04:12 UTC
Created attachment 1128229 [details]
sos report for the failure

Description of problem: Process /usr/sbin/winbindd was killed by signal 6

Version-Release number of selected component (if applicable):

How reproducible:Always

Steps to Reproduce:
1. Install IPA-server on RHEL6.8
2. Run ipa-adtrust-install command
3. Add dnsforwardzone on the IPA server to AD
4. Now try to add trust to AD

Actual results:
Crash report is generated.

Expected results:
Crash shouldn't occur.

Additional info:
Although trust was a tech preview found this issue while doing steps as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1263262

Comment 2 Alexander Bokovoy 2016-02-18 15:42:28 UTC
Sorry, but sosreport doesn't have anything useful in it -- no logs, even /var/log/messages is missing, not even talking about /var/log/httpd and /var/log/samba. Is it possible to generate something more useful?

Comment 3 Sudhir Menon 2016-02-19 11:04:15 UTC
Created attachment 1128512 [details]
samba log-1

Comment 4 Sudhir Menon 2016-02-19 11:05:02 UTC
Created attachment 1128513 [details]

Comment 5 Sudhir Menon 2016-02-19 11:09:49 UTC
before logging this bug, sbose was having a look at the test system where the crash was seen and he said that. 

"there was an issue during the ipa-client-install run, the cifs/... principal was not created. This was maybe due to DNS issue because as I tried to start IPA on the host named was not able to start. It looks like the chroot environment is not correct, I fixed this by commenting out the chroot path in /etc/sysconfig/named. Now named start. Please run ipa-adtrust-install again to get the cifs/... principal created"

But when I restested the same thing.

1. Found that the crash occured only when the below line was commented in 
#ROOTDIR=/var/named/chroot' in /etc/named.conf file. 
This entry is however added by bind-chroot when installed.
Manually commenting the option is incorrect and invalid test scenario and which was not done during the test.

Comment 6 Alexander Bokovoy 2016-02-19 11:23:41 UTC
FreeIPA doesn't use bind-chroot at all and was never tested with it. What drags bind-chroot in?

Comment 7 Sudhir Menon 2016-02-22 05:57:08 UTC
The VM image on which the testing was done had bind-chroot package installed already. Although what i see is that the bind-chroot package is not required by any of ipa packages. May be I should create a pristine image and try to reprduce the issue.

Comment 8 Sudhir Menon 2016-02-22 09:18:35 UTC
Tested this on a pristine RHEL6.8 VM without the bind-chroot package installed and found that the crash is not seen.

Comment 9 Petr Vobornik 2016-02-23 17:23:32 UTC
Upstream ticket:

Comment 10 Petr Vobornik 2016-02-23 17:25:46 UTC
We should add conflicts with bind-chroot to spec. I would fix it only on RHEL 7.

Comment 11 Petr Vobornik 2016-03-24 19:43:12 UTC
IPA in 6.8 won't receive any updates unless they are critical or sufficiently justified. Changing to RHEL 7.

Comment 12 Petr Vobornik 2016-03-24 19:44:20 UTC
Fixed upstream:

    3ab63fa6ba60947b1452c2108c4cf7637f4aacdb spec: add conflict with bind-chroot to freeipa-server-dns 

    2b1b9ad6722e7008a97f09dc4a34019ad250cd4d spec: add conflict with bind-chroot to freeipa-server-dns

Comment 13 Mike McCune 2016-03-28 22:43:24 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 15 Sudhir Menon 2016-07-18 10:37:39 UTC
Fix is seen.
Verified using ipa-server-4.4.0-2.1.el7.x86_64

Conflicts are now added while installing ipa-server ipa-server-dns with bind-chroot already installed on the box.

[root@server ~]# rpm -qa | grep bind-chroot

[root@server ~]# yum install -y ipa-server ipa-server-dns
Loaded plugins: auto-update-debuginfo, langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-2.1.el7 will be installed
---> Package ipa-server-dns.noarch 0:4.4.0-2.1.el7 will be installed
--> Processing Conflict: ipa-server-dns-4.4.0-2.1.el7.noarch conflicts bind-chroot
--> Finished Dependency Resolution
Error: ipa-server-dns conflicts with 32:bind-chroot-9.9.4-36.el7.x86_64
 You could try using --skip-broken to work around the problem
** Found 5 pre-existing rpmdb problem(s), 'yum check' output follows:
ipa-admintools-4.4.0-2.1.el7.noarch has installed conflicts freeipa-admintools: ipa-admintools-4.4.0-2.1.el7.noarch
ipa-client-4.4.0-2.1.el7.x86_64 has installed conflicts freeipa-client: ipa-client-4.4.0-2.1.el7.x86_64
ipa-client-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-client-common: ipa-client-common-4.4.0-2.1.el7.noarch
ipa-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-common: ipa-common-4.4.0-2.1.el7.noarch
ipa-server-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-server-common: ipa-server-common-4.4.0-2.1.el7.noarch

Note: FreeIPA cannot work with BIND in chroot.

Comment 16 Pavel Holica 2016-07-25 13:25:37 UTC
Requesting release note due to bug 1359079

The conflicts change needs to be documented because it breaks upgrade path.

Comment 17 Ondrej Hudlicky 2016-08-02 14:11:00 UTC
Hi, I am concerned that this is not best solution for fixing the crash. By introducing a new conflict you break upgrade path for customer who have both packages installed (in RHEL7.2) - it could be high number of deployments and it could have negative impact on customer experience (even if documented). 

Also can you confirm that there are no deployment which would required both components? 

Asking PM (Siddharth) CEE (Chris) for review and additional feedback

Comment 18 Alexander Bokovoy 2016-08-02 14:21:15 UTC

Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody was/is/will be able to have a working configuration where both ipa-server-dns and bind-chroot are installed.

Comment 19 Ondrej Hudlicky 2016-08-02 17:23:01 UTC
> Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody

This incompatibility should be documented but no big concerns there. 

> was/is/will be able to have a working configuration where both
> ipa-server-dns and bind-chroot are installed.

There is difference between *installed* and *configured*.
Installing bind-chroot doesn't enable the chroot jail =>
 installing bind-chroot should not affect name server function

Having ipa-server crash due commented line in bind config file could be symptom of ipa-server bug which could be probably triggered in multiple ways?

Again my motivation is to avoid any possible troubles during RHEL7.2->RHEL7.3 update because customers are in general not happy with stability of upgrades.

Comment 20 Tomáš Hozza 2016-08-04 13:29:11 UTC
Installing bind-chroot on RHEL-7 does not change any configuration of bind and does not have any effect on how bind is run. The behavior in RHEL-7 is completely different compared to RHEL-6, where we shipped just a single init script and installing bind-chroot actually changed the way how bind is started.

In RHEL-7 we ship multiple .service files and installing bind-chroot installs named-chroot.service. Unless you explicitly start this service, you'll be still running regular bind NOT in chroot.

In RHEL-7 we actually don't even use the 'ROOTDIR' variable in /etc/sysconfig/named and it is not part of the default configuration.

This means the changes that looked like "good" idea for RHEL-6 don't make any sense for RHEL-7.

IMO introducing the conflict with bind-chroot package seems like unnecessary and unsystematic.

Comment 21 Ondrej Hudlicky 2016-08-05 07:55:15 UTC
Based on previous comment and after consultation with IDM QE moving to ASSIGNED

Comment 24 Sudhir Menon 2016-08-10 11:49:11 UTC
Fix is seen.

ipa-server and ipa-server-trust-ad rpm gets installed even with bind-chroot installed on the box.

[root@master ~]# rpm -qa | grep bind-chroot

[root@master ~]# yum install -y ipa-server ipa-server-trust-ad 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-6.el7 will be installed
---> Package ipa-server-trust-ad.x86_64 0:4.4.0-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
 Package                                 Arch                       Version                            Repository                  Size
 ipa-server             x86_64  4.4.0-6.el7  rhel73    423 k
 ipa-server-trust-ad    x86_64  4.4.0-6.el7  rhel73    191 k

Transaction Summary
Install  2 Packages

Total download size: 614 k
Installed size: 1.2 M
Downloading packages:
ipa-server-4.4.0-6.el7.x86_64.rpm  423 kB  00:00:01     
ipa-server-trust-ad-4.4.0-6.el7.x86_64.rpm  | 191 kB  00:00:01     
Total 145 kB/s | 614 kB  00:00:04     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ipa-server-4.4.0-6.el7.x86_64          1/2 
  Installing : ipa-server-trust-ad-4.4.0-6.el7.x86_64 2/2 
  Verifying  : ipa-server-trust-ad-4.4.0-6.el7.x86_64 1/2 
  Verifying  : ipa-server-4.4.0-6.el7.x86_64          2/2 

ipa-server.x86_64 0:4.4.0-6.el7                                
ipa-server-trust-ad.x86_64 0:4.4.0-6.el7                               


Comment 27 errata-xmlrpc 2016-11-04 05:51:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.