Created attachment 1290703 [details] summary of journal log During openqa tests exercising different freeipa scenari, I have got intermittent problems with "kinit" command on ppc64le arch. This problems occurs on f26 Beta-1.4 version and last nightly composes. for example I got ipa-client-install failed when I run command line "realm join" or when I run "join domain" thru cockpit. It seems the problem oocurs always durring "kinit" command. Note that I got problem also when "kinit" is executed in command line later (outside of ipa-client-install when this one succeed). In journal and audit log, I found traces about ipa-dnskeysyncd permission problem. see attached summary logs. I tried to disable selinux (setenforce 0) and all tests passed without any errors. I didn't yet investigate what specific selinux ipa_dnskey policy I have to disable (https://www.mankier.com/8/ipa_dnskey_selinux) but what is puzzling me is that it is an intermittent problem and sometimes even with selinux policy enabled, kinit performs correctly and there is no problem on ipa_dnskey. failing openqa tests: server_role_deploy_domain_controller server_realmd_join_kickstart realmd_join_sssd realmd_join_cockpit
Created attachment 1290704 [details] summary of audit log
Created attachment 1290705 [details] audit log line analysing thru sealert
Hello, ipa-dnskeysyncd is unrelated to kinit, please provide more information about failing kinit in separate BZ (try KRB5_TRACE=/dev/stderr kinit) when issue occurs. changing component to SELinux as this BZ is related only to AVCs Thank you
I ran tests with enforcing enabled and got the problem again. kerberos traces are as follow: KRB5_TRACE=/dev/stderr kinit admin [9981] 14982122358.540844: Getting initial credentials for admin [9981] 14982122358.542648: Sending request (173 bytes) to DOMAIN.LOCAL [9981] 14982122358.542910: Initiating TCP connection to stream 10.0.2.100:88 [9981] 14982122358.543224: Sending TCP request to stream 10.0.2.100:88 [9981] 14982122368.553502: Sending initial UDP request to dgram 10.0.2.100:88 [9981] 14982122371.556012: Sending retry UDP request to dgram 10.0.2.100:88 [9981] 14982122376.559790: Sending retry UDP request to dgram 10.0.2.100:88 [9981] 14982122385.566022: Terminating TCP connection to stream 10.0.2.100:88 kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials note that this kinit run on the server itself, means that TCP and UDP traffic try to be established on the machine itself (ipadd 10.0.2.100) but there is no answer...
Do you have any KDC errors on server? : less /var/log/krb5kdc.log journalctl -u krb5kdc systemctl status krb5kdc
Created attachment 1291985 [details] krb4kdc log when kinit problem
journalctl -u krb5kdc -- Logs begin at Sun 2017-06-25 14:22:00 EDT, end at Mon 2017-06-26 09:31:44 EDT. -- Jun 26 09:25:16 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC... Jun 26 09:25:16 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after start: No such file or directory Jun 26 09:25:16 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopping Kerberos 5 KDC... Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopped Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC... Jun 26 09:27:35 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after start: No such file or directory Jun 26 09:27:35 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC. systemctl status krb5kdc krb5dc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2017-06-26 09:27:35 EDT; 2min 44s ago Main PID: 9142 (krb5kdc) Tasks: 1 (limit: 4915) CGroup: /system.slice/krb5kdc.service 9142 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopped Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after...rectory Jun 26 09:27:35 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC.
I don't see explicit traces pointing on a problem for krb5kdc. Traces about krb5kdc.pid file not readable are still there when the problem does not occur ("enforcing" disabled).
Menanteau, You mean SELinux is in permissive mode? Attach output: # sestatus Thanks, Lukas.
Yes, as I said in the description of the bug, I never had problem when I run "setenforce 0" before running ipa or kerberos commands.
Moving to FreeIPA.This is issue is not related to SELinux.
It consists of two bugs 1) This is SELinux type=AVC msg=audit(1497726952.793:735): avc: denied { execute_no_trans } for pid=9992 comm="ipa-dnskeysyncd" path="/usr/libexec/ipa/ipa-dnskeysync-replica" dev="dm-0" ino=5833743 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:ipa_dnskey_exec_t:s0 tclass=file permissive=0 2) The kinit issues are not selinux.
Hum, perhaps I didn't try enough, but so far, I didn't see the kinit problem when selinux is disabled. I will run a longer serie of tests with selinux disable to see if kinit fails sometime.
Comment 13 shows it is actually a SELinux issue.
no more failure with last compose 20170903.
(In reply to Michel Normand from comment #15) > no more failure with last compose 20170903. oups I closed the wrong bug, sorry, I re-open it
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
comment to clear the needinfo flag