Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1346168 - Running atomic install rhel7/sssd realm join AD.EXAMPLE.COM fails with realm: Couldn't initialize kerberos: Included profile directory could not be read
Summary: Running atomic install rhel7/sssd realm join AD.EXAMPLE.COM fails with realm:...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd-container
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-14 07:30 UTC by Jan Pazdziora
Modified: 2017-05-15 14:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-15 14:19:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2633 0 normal SHIPPED_LIVE Red Hat Enterprise Linux Atomic SSSD Container Image Update 2016-11-03 20:31:35 UTC

Description Jan Pazdziora 2016-06-14 07:30:27 UTC
Description of problem:

Attempt to realm join RHEL 7.3 nightly (non-Atomic) with rhel7/sssd container image 7.2-13 fails with 

realm: Couldn't initialize kerberos: Included profile directory could not be read

Version-Release number of selected component (if applicable):

krb5-libs-1.14.1-15.el7.x86_64
rhel7/sssd 7.2-13

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have RHEL non-Atomic 7.3 with docker and atomic packages installed.
2. Create /etc/sssd/realm-join-password, point /etc/resolv.conf to AD machine.
3. Run atomic install rhel7/sssd realm join AD.EXAMPLE.COM

Actual results:

# atomic install rhel7/sssd realm join AD.EXAMPLE.COM
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join AD.EXAMPLE.COM
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Initializing configuration context from host ...
See: journalctl REALMD_OPERATION=r2671.32
realm: Couldn't initialize kerberos: Included profile directory could not be read

Expected results:

No error, machine realm-joined to AD server.

Additional info:

Comment 1 Jan Pazdziora 2016-06-14 07:33:07 UTC
My guess is the problem is caused by the line

   includedir /etc/krb5.conf.d/

in /etc/krb5.conf which is now shipped by default in krb5-libs-1.14.1-15.el7.x86_64. It was added via bug 1146945.

Since the container image contains older krb5-libs package which does not ship this directory and host-data-list does not list it, it is not present in the container when realm join runs.

Comment 3 Lukas Slebodnik 2016-06-17 07:35:13 UTC
(In reply to Jan Pazdziora from comment #1)
> My guess is the problem is caused by the line
> 
>    includedir /etc/krb5.conf.d/
> 
> in /etc/krb5.conf which is now shipped by default in
> krb5-libs-1.14.1-15.el7.x86_64. It was added via bug 1146945.
> 
> Since the container image contains older krb5-libs package which does not
> ship this directory and host-data-list does not list it, it is not present
> in the container when realm join runs.

Actually, it's bug known bug in krb5 BZ1274424.

The reproducer is even simpler
[root@host ~]# atomic install rhel7/sssd klist
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh klist
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Initializing configuration context from host ...
klist: Included profile directory could not be read while initializing krb5

And simple change fixed the issue
FROM rhel7/sssd
RUN [ -d /etc/krb5.conf.d/ ] || mkdir /etc/krb5.conf.d/

However we should copy content of that directory from host if it exists.

Comment 5 Niranjan Mallapadi Raghavender 2016-10-14 06:50:32 UTC
Versions:

lslebodn/sssd-docker               extras-rhel-7.3-docker-candidate-20160926090154   8af19f1e3f7a        2 weeks ago         370 MB
rhel7/sssd                         latest                                            8af19f1e3f7a        2 weeks ago         370 MB
registry.access.redhat.com/rhel7   latest                                            98a88a8b722a        5 weeks ago         201.4 MB

[root@atomic-00 sssd]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-06 18:32:58)
        Commit: bd5ac48f6195637c0230d9b0ab0a2e5fb843764f85bc64757106238bdf31e757
        OSName: rhel-atomic-host


[root@atomic-00 sssd]# atomic install rhel7/sssd klist
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh klist
Initializing configuration context from host ...
klist: Credentials cache keyring 'persistent:0:0' not found

[root@atomic-00 sssd]# atomic install rhel7/sssd realm join CENTAUR.TEST -v
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join CENTAUR.TEST -v
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.27
 * Performing LDAP DSE lookup on: 192.168.122.187
 * Successfully discovered: CENTAUR.TEST
Password for Administrator:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.9FJPPY -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CENTAUR
Joined 'ATOMIC-00' to dns domain 'CENTAUR.TEST'
DNS Update for atomic-00.localdomain failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.9FJPPY -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.


[root@atomic-00 sssd]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
[root@atomic-00 sssd]# id Administrator@CENTAUR.TEST
uid=1993600500(administrator@CENTAUR.TEST) gid=1993600513(domain users@CENTAUR.TEST) groups=1993600513(domain users@CENTAUR.TEST),1993600520(group policy creator owners@CENTAUR.TEST),1993600519(enterprise admins@CENTAUR.TEST),1993600512(domain admins@CENTAUR.TEST),1993600518(schema admins@CENTAUR.TEST),1993601669(myunixgroup@CENTAUR.TEST),1993601671(testgroup1@CENTAUR.TEST),1993600572(denied rodc password replication group@CENTAUR.TEST)


Note You need to log in before you can comment on or make changes to this bug.