This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1468597 - container name must match image name in case realmd is used
container name must match image name in case realmd is used
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Using-Containerized-Identity-Management-Services (Show other bugs)
7.4
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Aneta Šteflová Petrová
ipa-qe
: Documentation
Depends On:
Blocks: 1418679
  Show dependency treegraph
 
Reported: 2017-07-07 09:33 EDT by Thorsten Scherf
Modified: 2017-08-14 07:00 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-14 07:00:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thorsten Scherf 2017-07-07 09:33:39 EDT
Description of problem:

Customers might want to use the "--name" option with atomic. When SSSD is configured with the IPA backend, an arbitrary container name can be used:

# atomic install --name foo rhel7/sssd -p admin -w redhat123
[...]
Client configuration complete.

But in case realmd is used to enroll the container into an AD domain, the container name must match the image name (which is always the case when "--name" is not used):

# atomic install --name sssd-test rhel7/sssd realm join -v MYLAB.LOCAL
[...]
Failed to join domain: failed to lookup DC info for domain 'mylab.local' over rpc: Logon failure
 ! The Administrator account, password, or credentials are invalid
realm: Couldn't join realm: The Administrator account, password, or credentials are invalid

# atomic install --name sssd rhel7/sssd realm join -v MYLAB.LOCAL
[...]
* Successfully enrolled machine in realm


Version-Release number of selected component (if applicable):

# atomic host status
State: idle
Deployments:
 atomic-host:rhel-atomic-host/7/x86_64/standard
             Version: 7.4.0 (2017-04-28 00:37:19)
              Commit: a235ce70ad4f5b7306d995e1f92308f535d1723e520cb3f6d853005cbebab081
              OSName: atomic-host

# atomic images version rhel7/sssd
IMAGE NAME                           VERSION   IMAGE ID  
docker.io/rhel7/sssd:latest          7.3-26    db4db0ab7441


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Lukas Slebodnik 2017-07-07 16:38:40 EDT
Usually if you want to join to AD or IPA you need to provide credentials.
By default they are read from files:
  /etc/sssd/ipa-client-install-options - parameters to ipa-client-install
  /etc/sssd/realm-join-options - parameters to realm join
  /etc/sssd/realm-join-password - file with password for realm join

But if you use different name for container then they are used from different directory otherwise there could be a conflict in case of different passwords for different domains.

With rhel SSSSD 7.4 image files need to be stored in:
  /etc/sssd/${name}/ipa-client-install-options - parameters to ipa-client-install
  /etc/sssd/${name}/realm-join-options - parameters to realm join
  /etc/sssd/${name}/realm-join-password - file with password for realm join
and "${name}" is name of container which passed to atomic utility via option "--name"
Comment 2 Thorsten Scherf 2017-07-08 03:05:17 EDT
This makes sense. But we need to document this.

I will reassign this bug to Aneta to add a note in the IDM Container guide.

Aneta, this affects the following chapter in the guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/running_super_privileged_containers#joining_an_sssd_container_to_an_active_directory_domain
Comment 3 Aneta Šteflová Petrová 2017-07-10 03:02:32 EDT
Thanks, Thorsten. I'm adding this BZ to my work queue because I'm working on documenting this scenario as part of BZ#1418679.
Comment 4 Aneta Šteflová Petrová 2017-08-04 06:12:42 EDT
I added this note to step 1 of the installation procedure:

----
If you want to specify a custom container image name later with the atomic install command to use instead of the default name (sssd), add the custom name to the path of the file: /etc/sssd/<custom_container_name>/realm-join-password.
----

Lukáš, is this okay?
Comment 6 Lukas Slebodnik 2017-08-04 06:47:30 EDT
(In reply to Aneta Šteflová Petrová from comment #4)
> I added this note to step 1 of the installation procedure:
> 
> ----
> If you want to specify a custom container image name later with the atomic
> install command to use instead of the default name (sssd), add the custom
> name to the path of the file:
> /etc/sssd/<custom_container_name>/realm-join-password.
> ----
> 
> Lukáš, is this okay?

Yes,
thank you.
Comment 7 Aneta Šteflová Petrová 2017-08-04 07:05:17 EDT
Perfect, thank you. The update is now on master.

Note You need to log in before you can comment on or make changes to this bug.