1346168 – Running atomic install rhel7/sssd realm join AD.EXAMPLE.COM fails with realm: Couldn't initialize kerberos: Included profile directory could not be read

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1346168 - Running atomic install rhel7/sssd realm join AD.EXAMPLE.COM fails with realm: Couldn't initialize kerberos: Included profile directory could not be read

Summary: Running atomic install rhel7/sssd realm join AD.EXAMPLE.COM fails with realm:...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd-container
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-14 07:30 UTC by Jan Pazdziora
Modified:	2017-05-15 14:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-15 14:19:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2633	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux Atomic SSSD Container Image Update	2016-11-03 20:31:35 UTC

Description Jan Pazdziora 2016-06-14 07:30:27 UTC

Description of problem:

Attempt to realm join RHEL 7.3 nightly (non-Atomic) with rhel7/sssd container image 7.2-13 fails with 

realm: Couldn't initialize kerberos: Included profile directory could not be read

Version-Release number of selected component (if applicable):

krb5-libs-1.14.1-15.el7.x86_64
rhel7/sssd 7.2-13

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have RHEL non-Atomic 7.3 with docker and atomic packages installed.
2. Create /etc/sssd/realm-join-password, point /etc/resolv.conf to AD machine.
3. Run atomic install rhel7/sssd realm join AD.EXAMPLE.COM

Actual results:

# atomic install rhel7/sssd realm join AD.EXAMPLE.COM
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join AD.EXAMPLE.COM
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Initializing configuration context from host ...
See: journalctl REALMD_OPERATION=r2671.32
realm: Couldn't initialize kerberos: Included profile directory could not be read

Expected results:

No error, machine realm-joined to AD server.

Additional info:

Comment 1 Jan Pazdziora 2016-06-14 07:33:07 UTC

My guess is the problem is caused by the line

   includedir /etc/krb5.conf.d/

in /etc/krb5.conf which is now shipped by default in krb5-libs-1.14.1-15.el7.x86_64. It was added via bug 1146945.

Since the container image contains older krb5-libs package which does not ship this directory and host-data-list does not list it, it is not present in the container when realm join runs.

Comment 3 Lukas Slebodnik 2016-06-17 07:35:13 UTC

(In reply to Jan Pazdziora from comment #1)
> My guess is the problem is caused by the line
> 
>    includedir /etc/krb5.conf.d/
> 
> in /etc/krb5.conf which is now shipped by default in
> krb5-libs-1.14.1-15.el7.x86_64. It was added via bug 1146945.
> 
> Since the container image contains older krb5-libs package which does not
> ship this directory and host-data-list does not list it, it is not present
> in the container when realm join runs.

Actually, it's bug known bug in krb5 BZ1274424.

The reproducer is even simpler
[root@host ~]# atomic install rhel7/sssd klist
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh klist
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Initializing configuration context from host ...
klist: Included profile directory could not be read while initializing krb5

And simple change fixed the issue
FROM rhel7/sssd
RUN [ -d /etc/krb5.conf.d/ ] || mkdir /etc/krb5.conf.d/

However we should copy content of that directory from host if it exists.

Comment 5 Niranjan Mallapadi Raghavender 2016-10-14 06:50:32 UTC

Versions:

lslebodn/sssd-docker               extras-rhel-7.3-docker-candidate-20160926090154   8af19f1e3f7a        2 weeks ago         370 MB
rhel7/sssd                         latest                                            8af19f1e3f7a        2 weeks ago         370 MB
registry.access.redhat.com/rhel7   latest                                            98a88a8b722a        5 weeks ago         201.4 MB

[root@atomic-00 sssd]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-06 18:32:58)
        Commit: bd5ac48f6195637c0230d9b0ab0a2e5fb843764f85bc64757106238bdf31e757
        OSName: rhel-atomic-host


[root@atomic-00 sssd]# atomic install rhel7/sssd klist
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh klist
Initializing configuration context from host ...
klist: Credentials cache keyring 'persistent:0:0' not found

[root@atomic-00 sssd]# atomic install rhel7/sssd realm join CENTAUR.TEST -v
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join CENTAUR.TEST -v
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.27
 * Performing LDAP DSE lookup on: 192.168.122.187
 * Successfully discovered: CENTAUR.TEST
Password for Administrator:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.9FJPPY -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CENTAUR
Joined 'ATOMIC-00' to dns domain 'CENTAUR.TEST'
DNS Update for atomic-00.localdomain failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.9FJPPY -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.


[root@atomic-00 sssd]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service
[root@atomic-00 sssd]# id Administrator
uid=1993600500(administrator) gid=1993600513(domain users) groups=1993600513(domain users),1993600520(group policy creator owners),1993600519(enterprise admins),1993600512(domain admins),1993600518(schema admins),1993601669(myunixgroup),1993601671(testgroup1),1993600572(denied rodc password replication group)

Note You need to log in before you can comment on or make changes to this bug.