Created attachment 1128229 [details]
sos report for the failure
Description of problem: Process /usr/sbin/winbindd was killed by signal 6
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install IPA-server on RHEL6.8
2. Run ipa-adtrust-install command
3. Add dnsforwardzone on the IPA server to AD
4. Now try to add trust to AD
Crash report is generated.
Crash shouldn't occur.
Although trust was a tech preview found this issue while doing steps as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1263262
Sorry, but sosreport doesn't have anything useful in it -- no logs, even /var/log/messages is missing, not even talking about /var/log/httpd and /var/log/samba. Is it possible to generate something more useful?
Created attachment 1128512 [details]
Created attachment 1128513 [details]
before logging this bug, sbose was having a look at the test system where the crash was seen and he said that.
"there was an issue during the ipa-client-install run, the cifs/... principal was not created. This was maybe due to DNS issue because as I tried to start IPA on the host named was not able to start. It looks like the chroot environment is not correct, I fixed this by commenting out the chroot path in /etc/sysconfig/named. Now named start. Please run ipa-adtrust-install again to get the cifs/... principal created"
But when I restested the same thing.
1. Found that the crash occured only when the below line was commented in
#ROOTDIR=/var/named/chroot' in /etc/named.conf file.
This entry is however added by bind-chroot when installed.
Manually commenting the option is incorrect and invalid test scenario and which was not done during the test.
FreeIPA doesn't use bind-chroot at all and was never tested with it. What drags bind-chroot in?
The VM image on which the testing was done had bind-chroot package installed already. Although what i see is that the bind-chroot package is not required by any of ipa packages. May be I should create a pristine image and try to reprduce the issue.
Tested this on a pristine RHEL6.8 VM without the bind-chroot package installed and found that the crash is not seen.
We should add conflicts with bind-chroot to spec. I would fix it only on RHEL 7.
IPA in 6.8 won't receive any updates unless they are critical or sufficiently justified. Changing to RHEL 7.
3ab63fa6ba60947b1452c2108c4cf7637f4aacdb spec: add conflict with bind-chroot to freeipa-server-dns
2b1b9ad6722e7008a97f09dc4a34019ad250cd4d spec: add conflict with bind-chroot to freeipa-server-dns
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see email@example.com with any questions
Fix is seen.
Verified using ipa-server-4.4.0-2.1.el7.x86_64
Conflicts are now added while installing ipa-server ipa-server-dns with bind-chroot already installed on the box.
[root@server ~]# rpm -qa | grep bind-chroot
[root@server ~]# yum install -y ipa-server ipa-server-dns
Loaded plugins: auto-update-debuginfo, langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-2.1.el7 will be installed
---> Package ipa-server-dns.noarch 0:4.4.0-2.1.el7 will be installed
--> Processing Conflict: ipa-server-dns-4.4.0-2.1.el7.noarch conflicts bind-chroot
--> Finished Dependency Resolution
Error: ipa-server-dns conflicts with 32:bind-chroot-9.9.4-36.el7.x86_64
You could try using --skip-broken to work around the problem
** Found 5 pre-existing rpmdb problem(s), 'yum check' output follows:
ipa-admintools-4.4.0-2.1.el7.noarch has installed conflicts freeipa-admintools: ipa-admintools-4.4.0-2.1.el7.noarch
ipa-client-4.4.0-2.1.el7.x86_64 has installed conflicts freeipa-client: ipa-client-4.4.0-2.1.el7.x86_64
ipa-client-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-client-common: ipa-client-common-4.4.0-2.1.el7.noarch
ipa-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-common: ipa-common-4.4.0-2.1.el7.noarch
ipa-server-common-4.4.0-2.1.el7.noarch has installed conflicts freeipa-server-common: ipa-server-common-4.4.0-2.1.el7.noarch
Note: FreeIPA cannot work with BIND in chroot.
Requesting release note due to bug 1359079
The conflicts change needs to be documented because it breaks upgrade path.
Hi, I am concerned that this is not best solution for fixing the crash. By introducing a new conflict you break upgrade path for customer who have both packages installed (in RHEL7.2) - it could be high number of deployments and it could have negative impact on customer experience (even if documented).
Also can you confirm that there are no deployment which would required both components?
Asking PM (Siddharth) CEE (Chris) for review and additional feedback
Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody was/is/will be able to have a working configuration where both ipa-server-dns and bind-chroot are installed.
> Sorry but FreeIPA DNS does not work with bind-chroot at all, so nobody
This incompatibility should be documented but no big concerns there.
> was/is/will be able to have a working configuration where both
> ipa-server-dns and bind-chroot are installed.
There is difference between *installed* and *configured*.
Installing bind-chroot doesn't enable the chroot jail =>
installing bind-chroot should not affect name server function
Having ipa-server crash due commented line in bind config file could be symptom of ipa-server bug which could be probably triggered in multiple ways?
Again my motivation is to avoid any possible troubles during RHEL7.2->RHEL7.3 update because customers are in general not happy with stability of upgrades.
Installing bind-chroot on RHEL-7 does not change any configuration of bind and does not have any effect on how bind is run. The behavior in RHEL-7 is completely different compared to RHEL-6, where we shipped just a single init script and installing bind-chroot actually changed the way how bind is started.
In RHEL-7 we ship multiple .service files and installing bind-chroot installs named-chroot.service. Unless you explicitly start this service, you'll be still running regular bind NOT in chroot.
In RHEL-7 we actually don't even use the 'ROOTDIR' variable in /etc/sysconfig/named and it is not part of the default configuration.
This means the changes that looked like "good" idea for RHEL-6 don't make any sense for RHEL-7.
IMO introducing the conflict with bind-chroot package seems like unnecessary and unsystematic.
Based on previous comment and after consultation with IDM QE moving to ASSIGNED
Fix is seen.
ipa-server and ipa-server-trust-ad rpm gets installed even with bind-chroot installed on the box.
[root@master ~]# rpm -qa | grep bind-chroot
[root@master ~]# yum install -y ipa-server ipa-server-trust-ad
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
--> Running transaction check
---> Package ipa-server.x86_64 0:4.4.0-6.el7 will be installed
---> Package ipa-server-trust-ad.x86_64 0:4.4.0-6.el7 will be installed
--> Finished Dependency Resolution
Package Arch Version Repository Size
ipa-server x86_64 4.4.0-6.el7 rhel73 423 k
ipa-server-trust-ad x86_64 4.4.0-6.el7 rhel73 191 k
Install 2 Packages
Total download size: 614 k
Installed size: 1.2 M
ipa-server-4.4.0-6.el7.x86_64.rpm 423 kB 00:00:01
ipa-server-trust-ad-4.4.0-6.el7.x86_64.rpm | 191 kB 00:00:01
Total 145 kB/s | 614 kB 00:00:04
Running transaction check
Running transaction test
Transaction test succeeded
Installing : ipa-server-4.4.0-6.el7.x86_64 1/2
Installing : ipa-server-trust-ad-4.4.0-6.el7.x86_64 2/2
Verifying : ipa-server-trust-ad-4.4.0-6.el7.x86_64 1/2
Verifying : ipa-server-4.4.0-6.el7.x86_64 2/2
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.