Bug 2096521 - ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"
Summary: ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 9.1
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2091421
TreeView+ depends on / blocked
 
Reported: 2022-06-14 06:24 UTC by Varun Mylaraiah
Modified: 2022-11-15 12:58 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-34.1.37-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-15 11:13:52 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1241 0 None Merged Update samba-dcerpcd policy for kerberos 2022-06-17 16:59:32 UTC
Github fedora-selinux selinux-policy pull 1264 0 None open Update samba-dcerpcd policy for kerberos usage 2 2022-06-27 15:24:56 UTC
Red Hat Issue Tracker RHELPLAN-125175 0 None None None 2022-06-14 06:35:40 UTC
Red Hat Product Errata RHBA-2022:8283 0 None None None 2022-11-15 11:14:08 UTC

Internal Links: 2096825

Description Varun Mylaraiah 2022-06-14 06:24:47 UTC
Description of problem:
ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"

Version-Release number of selected component (if applicable):
ipa-server-common-4.9.8-8.el9.noarch
ipa-server-4.9.8-8.el9.x86_64
ipa-server-dns-4.9.8-8.el9.noarch
ipa-server-trust-ad-4.9.8-8.el9.x86_64
389-ds-base-libs-2.0.14-1.el9.x86_64
389-ds-base-2.0.14-1.el9.x86_64
sssd-ipa-2.7.0-2.el9.x86_64
sssd-client-2.7.0-2.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1.ipa-server-install
2.ipa-adtrust-install
3.ipa trust-add

[root@master ~]# echo <xxxxxxx> | ipa trust-add win2019.test --admin Administrator --password
or
[root@master ~]# echo <xxxxxxx> | ipa trust-add win2019.test --admin Administrator --password  --two-way=True

Automation output:
=================
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'trust-add', 'win2019-u7la.test', '--range-type=ipa-ad-trust', '--admin=Administrator', '--password']
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:519 RUN ['ipa', 'trust-add', 'win2019-u7la.test', '--range-type=ipa-ad-trust', '--admin=Administrator', '--password']
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 ipa: ERROR: CIFS server communication error: code "3221225996", message "The transport connection is now disconnected." (both may be "None")
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:217 Exit code: 1

Actual results:
ipa: ERROR: CIFS server communication error: code "3221225996", message "The transport connection is now disconnected." (both may be "None")

Expected results:
ipa trust-add should be successful.

Additional info:
Attached httpd, samba, and sssd logs

Comment 7 Alexander Bokovoy 2022-06-14 11:23:58 UTC
This is due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP and so on.

[root@master ~]# setenforce 0
[root@master ~]# audit2allow -b


[root@master ~]# kinit admin
Password for admin: 
[root@master ~]# echo Secret123 |ipa trust-add win2019-9ced.test --admin Administrator --password 
--------------------------------------------------
Re-established trust to domain "win2019-9ced.test"
--------------------------------------------------
  Realm name: win2019-9ced.test
  Domain NetBIOS name: WIN2019-9CED
  Domain Security Identifier: S-1-5-21-2229588128-2176526217-358173259
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@master ~]# audit2allow -b


#============= winbind_rpcd_t ==============
allow winbind_rpcd_t cert_t:file { getattr open read };
allow winbind_rpcd_t devlog_t:sock_file write;
allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto;
allow winbind_rpcd_t dirsrv_var_run_t:sock_file write;
allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto;
allow winbind_rpcd_t krb5_conf_t:file { open read };
allow winbind_rpcd_t krb5_keytab_t:dir search;
allow winbind_rpcd_t net_conf_t:file { getattr open read };
allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read };
[root@master ~]# 

[root@master ~]# audit2why -b
type=AVC msg=audit(1655205684.560:98): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.560:98): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.562:99): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.563:100): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.563:100): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:101): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:101): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:102): avc:  denied  { lock } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:103): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:104): avc:  denied  { connectto } for  pid=2111 comm="samba-dcerpcd" path="/run/slapd-IPA-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:104): avc:  denied  { write } for  pid=2111 comm="samba-dcerpcd" name="slapd-IPA-TEST.socket" dev="tmpfs" ino=1007 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:105): avc:  denied  { sendto } for  pid=2111 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:105): avc:  denied  { write } for  pid=2111 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=46 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.566:106): avc:  denied  { search } for  pid=2111 comm="samba-dcerpcd" name="krb5" dev="vda4" ino=25166407 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:107): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:107): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:109): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.864:110): avc:  denied  { open } for  pid=2122 comm="rpcd_lsad" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.864:110): avc:  denied  { read } for  pid=2122 comm="rpcd_lsad" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:111): avc:  denied  { open } for  pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:111): avc:  denied  { read } for  pid=2122 comm="rpcd_lsad" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:112): avc:  denied  { getattr } for  pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:113): avc:  denied  { open } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:113): avc:  denied  { read } for  pid=2166 comm="rpcd_lsad" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:114): avc:  denied  { lock } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:115): avc:  denied  { getattr } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 9 Alexander Bokovoy 2022-06-14 11:29:43 UTC
Zdenek,

samba-dcerpcd should have the same policy as winbindd and smbd. samba-dcerpcd is a new daemon in Samba suite that runs code which was in past part of smbd.
We need the same in Fedora as well, if it is not there yet.

Comment 11 Zdenek Pytela 2022-06-17 16:59:32 UTC
(In reply to Alexander Bokovoy from comment #9)
> Zdenek,
> 
> samba-dcerpcd should have the same policy as winbindd and smbd.
> samba-dcerpcd is a new daemon in Samba suite that runs code which was in
> past part of smbd.
> We need the same in Fedora as well, if it is not there yet.
Alexandr,

We almost always put update to rawhide first. samba-dcerpcd has been confined following the description in
https://www.samba.org/samba/history/samba-4.16.0.html
and the updates are ready also for f36.
The policy for rpcd services differs a bit as well as smbd and winbind differs, but share similar resources.

Comment 13 Zdenek Pytela 2022-06-24 13:54:42 UTC
Commit to backport:
commit e6584a21427a408c09781f2c5cf978b0f18db1cc
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 17 18:34:28 2022 +0200

    Update samba-dcerpcd policy for kerberos usage

Comment 21 Zdenek Pytela 2022-06-29 09:08:32 UTC
The commit has not actually been backported:
commit 837f63743214363362334e910dcb06d35cd5cb99
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

Comment 29 errata-xmlrpc 2022-11-15 11:13:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283


Note You need to log in before you can comment on or make changes to this bug.