1460929 – starting sssd container using systemctl creates /etc/yp.conf directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1460929 - starting sssd container using systemctl creates /etc/yp.conf directory

Summary: starting sssd container using systemctl creates /etc/yp.conf directory

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd-container
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-13 07:40 UTC by Niranjan Mallapadi Raghavender
Modified:	2017-06-28 09:44 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-13 07:59:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Niranjan Mallapadi Raghavender 2017-06-13 07:40:57 UTC

Description of problem:
After joining RHEL7 Atomic host to Active Directory using realm and start sssd container creates /etc/yp.conf directory, /etc/yp.conf should be a file and not directory.

Version-Release number of selected component (if applicable):
sssd-docker-7.3-25

How reproducible:


Steps to Reproduce:
1.atomic install rhel7/sssd realm join -v --membership-software=samba CENTAUR.TEST
2.systemctl start sssd
3. ls -l /etc/yp.conf
[root@titan ~]# ls -l /etc/yp.conf/
total 0



Actual results:

[root@titan ~]# ls -l /etc/yp.conf/
total 0
Expected results:
/etc/yp.conf directory should not be created 

Additional info:

Comment 2 Lukas Slebodnik 2017-06-13 07:59:10 UTC

It is not a bug.

Because if docker tries to mount bind non-existing file it will create directory on host. And /etc/yp.conf is created only by ipa-client install and not by adcli/realmd. Therefore the file /etc/yp.conf does not exist after "atomic install rhel7/sssd ..."

Comment 3 Jan Pazdziora 2017-06-13 10:09:37 UTC

OTOH, can't this prevent us from uninstalling the AD-joined setup and intalling ipa-client-install-based one?

Maybe we should touch and create empty files in install.sh that we plan to bind-mount in run.sh, to prevent them from being autocreated of wrong type?

Comment 4 Niranjan Mallapadi Raghavender 2017-06-27 22:56:27 UTC

I have not tested ipa-client-install.  but it does prevent from uninstall realmd ones. 

[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U administrator
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v U administrator
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
realm: Couldn't find a matching realm

Comment 5 Niranjan Mallapadi Raghavender 2017-06-27 23:02:22 UTC

ot@dione sssd_container]# atomic install rhel7/sssd realm join -v --membership-software=adcli CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v --membership-software=adcli CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.187
Password for Administrator:  * Performing LDAP DSE lookup on: 192.168.122.27
 * Successfully discovered: CENTAUR.TEST
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain CENTAUR.TEST --domain-realm CENTAUR.TEST --domain-controller 192.168.122.187 --login-type user --login-user Administrator --stdin-password
 * Using domain name: CENTAUR.TEST
 * Calculated computer account name from fqdn: DIONE
 * Using domain realm: CENTAUR.TEST
 * Sending netlogon pings to domain controller: cldap://192.168.122.187
 * Received NetLogon info from: srv1.CENTAUR.TEST
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-SN2i2V/krb5.d/adcli-krb5-conf-MVDZUN
 * Authenticated as user: Administrator
 * Looked up short domain name: CENTAUR
 * Using fully qualified name: dione.centaur.test
 * Using domain name: CENTAUR.TEST
 * Using computer account name: DIONE
 * Using domain realm: CENTAUR.TEST
 * Calculated computer account name from fqdn: DIONE
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for DIONE$ at: CN=DIONE,CN=Computers,DC=CENTAUR,DC=TEST
 * Set computer password
 * Retrieved kvno '4' for computer account in directory: CN=DIONE,CN=Computers,DC=CENTAUR,DC=TEST
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: DIONE$@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/DIONE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/dione.centaur.test: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/DIONE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/dione.centaur.test: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Service sssd.service configured to run SSSD container.
[root@dione sssd_container]# ls -l /etc/yum
yum/         yum.conf     yum.repos.d/
[root@dione sssd_container]# atomic install rhel7/sssd realm join -v --membership-software=adcli CENTAUR.TEST^C
[root@dione sssd_container]# systemctl start sssd
[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U administrator CENTAUR.TEST^C
[root@dione sssd_container]# ls -l /etc/yp.conf/
total 0
[root@dione sssd_container]# #atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST
[root@dione sssd_container]# systemctl stop sssd
[root@dione sssd_container]# #atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST
[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST-
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v -U administrator CENTAUR.TEST-
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
realm: Couldn't find a matching realm

Comment 6 Lukas Slebodnik 2017-06-28 09:38:16 UTC

(In reply to Niranjan Mallapadi Raghavender from comment #4)
> I have not tested ipa-client-install.  but it does prevent from uninstall
> realmd ones. 
> 
> [root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U
> administrator
> docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e
> IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v U
> administrator
> Initializing configuration context from host ...
> Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory

This warning is not related to realm leave failure.
Because in case of "atomic uninstall" we just print warning and skip importing problematic file/directory to container


> realm: Couldn't find a matching realm

Seems to be a PEBKAC or copy&paste problem.

Different REALM was used for joining machine and leaving machine
"CENTAUR.TEST" != "CENTAUR.TEST-"

Comment 7 Niranjan Mallapadi Raghavender 2017-06-28 09:44:12 UTC

Lukas you are right, it does print warning 


[root@dione repo]# atomic install rhel7/sssd realm join -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.27
Password for Administrator:  * Performing LDAP DSE lookup on: 192.168.122.187
 * Successfully discovered: CENTAUR.TEST
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SG6S2Y -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CENTAUR
Joined 'DIONE' to dns domain 'CENTAUR.TEST'
DNS Update for dione.centaur.test failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SG6S2Y -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Service sssd.service configured to run SSSD container.
[root@dione repo]# systemctl start sssd
[root@dione repo]# ls -l /etc/yp.conf/
total 0
[root@dione repo]# atomic uninstall rhel7/sssd realm leave -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v CENTAUR.TEST
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
 * Successfully unenrolled machine from realm
Copying new configuration to host ...
Removing /etc/krb5.keytab
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
Removing /etc/yp.conf
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST.69
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST.11
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST
Removing /var/lib/sss/pipes/private/pam
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/mc/initgroups

Note You need to log in before you can comment on or make changes to this bug.