1347758 – /etc/krb5.keytab directory being created when atomic run command is used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1347758 - /etc/krb5.keytab directory being created when atomic run command is used

Summary: /etc/krb5.keytab directory being created when atomic run command is used

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd-container
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-17 14:43 UTC by Niranjan Mallapadi Raghavender
Modified:	2017-05-15 14:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-15 14:19:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2633	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux Atomic SSSD Container Image Update	2016-11-03 20:31:35 UTC

Description Niranjan Mallapadi Raghavender 2016-06-17 14:43:28 UTC

Description of problem:
when running command atomic run ls /usr/sbin/adcli , this command causes /etc/krb5.ketayb directory to be created causing , successive join commands by realm failing because /etc/krb5.keytab is a directory and not file. 


Version-Release number of selected component (if applicable):
sssd-docker-7.2.15.tar.gz
* 2016-05-06 05:57:30     7.2.4     b060975ce3     rhel-atomic-host     rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard


How reproducible:


Steps to Reproduce:
1. atomic run rhel7/sssd ls /usr/sbin/adcli
2. atomic install rhel7/sssd realm join -v <domain> membership-software=adcli 
<output>-bash-4.2# atomic install rhel7/sssd realm join -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.187
 * Successfully discovered: CENTAUR.TEST
Password for Administrator:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.DVJ5IY -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:

Failed to join domain: failed to create kerberos keytab
 ! Joining the domain CENTAUR.TEST failed
realm: Couldn't join realm: Joining the domain CENTAUR.TEST failed
</output>


Actual results:
the above causes domain joining to fail and the ls command on rhel7/sssd container is still showing up in ps command

root       5238  0.0  0.0      0     0 ?        S<   20:11   0:00 [kworker/0:1H]
root       5241  0.7  0.0  11636  1376 ?        Ss   20:12   0:00 /bin/bash /bin/run.sh ls /usr/sbin/adcli
root       5248  0.0  0.0   4356   356 ?        S    20:12   0:00 tail -f /var/log/sssd/systemctl.log
root       5251  0.5  0.3  42160  6252 ?        S    20:12   0:00 /usr/bin/perl /usr/bin/systemctl start sssd.service
root       5252  0.0  0.0      0     0 ?        Zs   20:12   0:00 [sssd] <defunct>





Expected results:
/etc/krb5.keytab should not be created.


Additional info:

Comment 1 Niranjan Mallapadi Raghavender 2016-06-17 14:45:14 UTC

The workaround is to remove /etc/krb5.keytab directory and rejoin the host using 
atomic install rhel7/sssd realm join -v <domain>

Comment 3 Jan Pazdziora 2016-06-17 17:30:34 UTC

I'd say the behaviour is expected. The workflow for using Atomic containers is atomic install ... for setup + atomic run or systemctl start the-service for runtime.

The atomic containers are not means to be run the

   atomic run rhel7/sssd ls /usr/sbin/adcli

way. You are likely looking for

   docker run rhel7/sssd ls /usr/sbin/adcli

instead.

I propose NOTABUG.

Comment 4 Lukas Slebodnik 2016-06-17 18:03:26 UTC

(In reply to Jan Pazdziora from comment #3)
> I'd say the behaviour is expected. The workflow for using Atomic containers
> is atomic install ... for setup + atomic run or systemctl start the-service
> for runtime.
> 
> The atomic containers are not means to be run the
> 
>    atomic run rhel7/sssd ls /usr/sbin/adcli
> 
> way. You are likely looking for
> 
>    docker run rhel7/sssd ls /usr/sbin/adcli
               ^^
             missing --rm :-)
> 
> instead.
> 
> I propose NOTABUG.

Sometimes, I saw that directory /etc/krb5.keytab/ or /etc/yp.conf/ was created
after failed installation. But I didn't have a reliable reproducer.

As a result of this following attempt for installation failed.

Comment 5 Jan Pazdziora 2016-06-17 18:37:12 UTC

When docker run is run with -v /path/on/host:/path/in/container and /path/on/host does not exist, it gets created as directory on the host. That's how docker works:

$ ls -la /tmp/test-it
ls: cannot access /tmp/test-it: No such file or directory
$ docker run -v /tmp/test-it:/test fedora:23 date
Fri Jun 17 18:36:49 UTC 2016
$ ls -la /tmp/test-it
total 0
drwxr-xr-x.  2 root root  40 Jun 17 20:36 .
drwxrwxrwt. 22 root root 620 Jun 17 20:36 ..
$ 

That's why it's important to only run atomic run rhel7/sssd after atomic install rhel7/sssd passed because it should have created all the locations (directories, files) that we bind mount into docker run for atomic run.

Comment 6 Niranjan Mallapadi Raghavender 2016-06-20 05:22:30 UTC

okay, but can this be documented, i tried to search for these things in our official documentation [1][2][3] of Atomic but could not find.

1.https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/cli-reference/chapter-2-cli-commands
2. https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/recommended-practices-for-container-development/recommended-practices-for-container-development
3. https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/

Can the above be documented somewhere

Comment 7 Lukas Slebodnik 2016-06-20 06:46:42 UTC

(In reply to Jan Pazdziora from comment #5)
> When docker run is run with -v /path/on/host:/path/in/container and
> /path/on/host does not exist, it gets created as directory on the host.
> That's how docker works:
> 
> $ ls -la /tmp/test-it
> ls: cannot access /tmp/test-it: No such file or directory
> $ docker run -v /tmp/test-it:/test fedora:23 date
> Fri Jun 17 18:36:49 UTC 2016
> $ ls -la /tmp/test-it
> total 0
> drwxr-xr-x.  2 root root  40 Jun 17 20:36 .
> drwxrwxrwt. 22 root root 620 Jun 17 20:36 ..
> $ 
> 
> That's why it's important to only run atomic run rhel7/sssd after atomic
> install rhel7/sssd passed because it should have created all the locations
> (directories, files) that we bind mount into docker run for atomic run.

The main problem is not that atomic run will create directories but that atomic install will blindly copy them from /host and it causes failures which are complicated to debug.

e.g.
-bash-4.2# mkdir /etc/yp.conf/
-bash-4.2# atomic install rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh
Initializing configuration context from host ...
Client hostname: nec-em19.test.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: tyan-gt24-10.rhts.eng.bos.redhat.com
BaseDN: dc=example,dc=com
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Mon Jun 13 10:59:00 2016 UTC
    Valid Until: Fri Jun 13 10:59:00 2036 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://tyan-gt24-10.rhts.eng.bos.redhat.com/ipa/json
Forwarding 'ping' to json server 'https://tyan-gt24-10.rhts.eng.bos.redhat.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://tyan-gt24-10.rhts.eng.bos.redhat.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://tyan-gt24-10.rhts.eng.bos.redhat.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 3102, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 3083, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 3043, in install
    configure_nisdomain(options=options, domain=cli_domain)
  File "/usr/sbin/ipa-client-install", line 1502, in configure_nisdomain
    tasks.set_nisdomain(domain)
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/tasks.py", line 162, in set_nisdomain
    auth_config.execute()
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/authconfig.py", line 88, in execute
    ipautil.run(["/usr/sbin/authconfig"] + args)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)
subprocess.CalledProcessError: Command ''/usr/sbin/authconfig' '--update' '--nisdomain' 'example.com'' returned non-zero exit status 6

Comment 8 Lukas Slebodnik 2016-06-20 06:47:48 UTC

It would be better to fail rather than copy directory instead of file in atomic install/uninstall

Comment 9 Jan Pazdziora 2016-06-20 07:23:47 UTC

(In reply to Lukas Slebodnik from comment #8)
> It would be better to fail rather than copy directory instead of file in
> atomic install/uninstall

Yes, it should be fairly easy to check that locations from host-data-list that do not have trailing slash should be files, and fail in atomic install phase if they are not.

Comment 10 Jan Pazdziora 2016-06-20 07:26:50 UTC

(In reply to Niranjan Mallapadi Raghavender from comment #6)
> okay, but can this be documented, i tried to search for these things in our
> official documentation [1][2][3] of Atomic but could not find.

I've asked at
http://post-office.corp.redhat.com/archives/aos-devel/2016-June/msg00545.html

Comment 12 Niranjan Mallapadi Raghavender 2016-10-20 06:27:33 UTC

Versions:

lslebodn/sssd-docker               extras-rhel-7.3-docker-candidate-20160926090154   8af19f1e3f7a        2 weeks ago         370 MB
rhel7/sssd                         latest                                            8af19f1e3f7a        2 weeks ago         370 MB
registry.access.redhat.com/rhel7   latest                                            98a88a8b722a        5 weeks ago         201.4 MB

[root@atomic-00 sssd]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-06 18:32:58)
        Commit: bd5ac48f6195637c0230d9b0ab0a2e5fb843764f85bc64757106238bdf31e757
        OSName: rhel-atomic-host


[root@atomic-00 ~]# atomic install rhel7/sssd realm join -v CENTAUR.TEST  --membership-software=adcli
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST --membership-software=adcli
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.27
 * Successfully discovered: CENTAUR.TEST
Password for Administrator:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain CENTAUR.TEST --domain-realm CENTAUR.TEST --domain-controller 192.168.122.27 --login-type user --login-user Administrator --stdin-password
 * Using domain name: CENTAUR.TEST
 * Calculated computer account name from fqdn: ATOMIC-00
 * Using domain realm: CENTAUR.TEST
 * Sending netlogon pings to domain controller: cldap://192.168.122.27
 * Received NetLogon info from: srv2.CENTAUR.TEST
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-T1S2ZC/krb5.d/adcli-krb5-conf-B8ex6E
 * Authenticated as user: Administrator
 * Looked up short domain name: CENTAUR
 * Using fully qualified name: atomic-00.localdomain
 * Using domain name: CENTAUR.TEST
 * Using computer account name: ATOMIC-00
 * Using domain realm: CENTAUR.TEST
 * Calculated computer account name from fqdn: ATOMIC-00
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for ATOMIC-00$ at: CN=ATOMIC-00,CN=Computers,DC=CENTAUR,DC=TEST
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=ATOMIC-00,CN=Computers,DC=CENTAUR,DC=TEST
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: ATOMIC-00$@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ATOMIC-00: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/atomic-00.localdomain: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ATOMIC-00: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/atomic-00.localdomain: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.

[root@atomic-00 ~]# ls -l /etc/krb5.keytab 
-rw-------. 1 root root 1977 Oct 20 06:19 /etc/krb5.keytab


Disjoin the system.

[root@atomic-00 ~]# atomic uninstall rhel7/sssd realm leave -v -U Administrator
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v -U Administrator
Initializing configuration context from host ...
 * LANG=C /usr/sbin/adcli delete-computer --verbose --domain centaur.test --domain-realm CENTAUR.TEST --login-user Administrator --stdin-password
Password for Administrator:  * Found computer name in keytab: ATOMIC-00
 * Found service principal in keytab: host/ATOMIC-00
 * Found service principal in keytab: host/atomic-00.localdomain
 * Found host qualified name in keytab: atomic-00.localdomain
 * Found service principal in keytab: RestrictedKrbHost/ATOMIC-00
 * Found service principal in keytab: RestrictedKrbHost/atomic-00.localdomain
 * Using domain name: centaur.test
 * Calculated computer account name from fqdn: ATOMIC-00
 * Using domain realm: centaur.test
 * Discovering domain controllers: _ldap._tcp.centaur.test
 * Sending netlogon pings to domain controller: cldap://192.168.122.27
 * Sending netlogon pings to domain controller: cldap://192.168.122.187
 * Received NetLogon info from: srv2.CENTAUR.TEST
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-lPsWX9/krb5.d/adcli-krb5-conf-iLGocM
 ! Couldn't authenticate as: Administrator: Preauthentication failed
adcli: couldn't connect to centaur.test domain: Couldn't authenticate as: Administrator: Preauthentication failed
 ! Failed to join the domain
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service

 * Successfully unenrolled machine from realm
Copying new configuration to host ...
Removing /etc/krb5.keytab
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
find: 'etc/yp.conf': No such file or directory
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/mc/initgroups
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST.64
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST
Removing /var/lib/sss/pipes/private/pam


Verify /etc/krb5.keytab file is removed
[root@atomic-00 ~]# ls -l /etc/krb5.ketyab
ls: cannot access /etc/krb5.ketyab: No such file or directory

Comment 13 Niranjan Mallapadi Raghavender 2016-10-20 06:28:06 UTC

Note if we run atomic run before it still fails and based on comment #10, this should be documented, Any update on it, or do we have to file a separate doc bug ?

Comment 14 Lukas Slebodnik 2016-10-20 08:00:20 UTC

(In reply to Niranjan Mallapadi Raghavender from comment #13)
> Note if we run atomic run before it still fails and based on comment #10,
> this should be documented, Any update on it, or do we have to file a
> separate doc bug ?

It isn't sssd related. Feel free to open bug for different component.

Note You need to log in before you can comment on or make changes to this bug.