2096521 – ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2096521 - ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"

Summary: ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.1
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2091421
TreeView+	depends on / blocked

Reported:	2022-06-14 06:24 UTC by Varun Mylaraiah
Modified:	2022-12-15 16:18 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-34.1.37-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-15 11:13:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1241	None	Merged	Update samba-dcerpcd policy for kerberos	2022-06-17 16:59:32 UTC
Github	fedora-selinux selinux-policy pull 1264	None	open	Update samba-dcerpcd policy for kerberos usage 2	2022-06-27 15:24:56 UTC
Red Hat Issue Tracker	RHELPLAN-125175	None	None	None	2022-06-14 06:35:40 UTC
Red Hat Product Errata	RHBA-2022:8283	None	None	None	2022-11-15 11:14:08 UTC

Internal Links: 2096825

Description Varun Mylaraiah 2022-06-14 06:24:47 UTC

Description of problem:
ipa trust-add fails with ipa: ERROR: CIFS server communication error : code "3221225996"

Version-Release number of selected component (if applicable):
ipa-server-common-4.9.8-8.el9.noarch
ipa-server-4.9.8-8.el9.x86_64
ipa-server-dns-4.9.8-8.el9.noarch
ipa-server-trust-ad-4.9.8-8.el9.x86_64
389-ds-base-libs-2.0.14-1.el9.x86_64
389-ds-base-2.0.14-1.el9.x86_64
sssd-ipa-2.7.0-2.el9.x86_64
sssd-client-2.7.0-2.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1.ipa-server-install
2.ipa-adtrust-install
3.ipa trust-add

[root@master ~]# echo <xxxxxxx> | ipa trust-add win2019.test --admin Administrator --password
or
[root@master ~]# echo <xxxxxxx> | ipa trust-add win2019.test --admin Administrator --password  --two-way=True

Automation output:
=================
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'trust-add', 'win2019-u7la.test', '--range-type=ipa-ad-trust', '--admin=Administrator', '--password']
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:519 RUN ['ipa', 'trust-add', 'win2019-u7la.test', '--range-type=ipa-ad-trust', '--admin=Administrator', '--password']
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:563 ipa: ERROR: CIFS server communication error: code "3221225996", message "The transport connection is now disconnected." (both may be "None")
DEBUG    pytest_multihost.host.Host.master.cmd20:transport.py:217 Exit code: 1

Actual results:
ipa: ERROR: CIFS server communication error: code "3221225996", message "The transport connection is now disconnected." (both may be "None")

Expected results:
ipa trust-add should be successful.

Additional info:
Attached httpd, samba, and sssd logs

Comment 7 Alexander Bokovoy 2022-06-14 11:23:58 UTC

This is due to a missing SELinux policy for samba-dcerpcd to access Kerberos configuration, TLS certificates, LDAP and so on.

[root@master ~]# setenforce 0
[root@master ~]# audit2allow -b


[root@master ~]# kinit admin
Password for admin: 
[root@master ~]# echo Secret123 |ipa trust-add win2019-9ced.test --admin Administrator --password 
--------------------------------------------------
Re-established trust to domain "win2019-9ced.test"
--------------------------------------------------
  Realm name: win2019-9ced.test
  Domain NetBIOS name: WIN2019-9CED
  Domain Security Identifier: S-1-5-21-2229588128-2176526217-358173259
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@master ~]# audit2allow -b


#============= winbind_rpcd_t ==============
allow winbind_rpcd_t cert_t:file { getattr open read };
allow winbind_rpcd_t devlog_t:sock_file write;
allow winbind_rpcd_t dirsrv_t:unix_stream_socket connectto;
allow winbind_rpcd_t dirsrv_var_run_t:sock_file write;
allow winbind_rpcd_t kernel_t:unix_dgram_socket sendto;
allow winbind_rpcd_t krb5_conf_t:file { open read };
allow winbind_rpcd_t krb5_keytab_t:dir search;
allow winbind_rpcd_t net_conf_t:file { getattr open read };
allow winbind_rpcd_t smbd_var_run_t:file { getattr lock open read };
[root@master ~]# 

[root@master ~]# audit2why -b
type=AVC msg=audit(1655205684.560:98): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.560:98): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.562:99): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.563:100): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.563:100): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="resolv.conf" dev="vda4" ino=8402018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:101): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:101): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:102): avc:  denied  { lock } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.564:103): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:104): avc:  denied  { connectto } for  pid=2111 comm="samba-dcerpcd" path="/run/slapd-IPA-TEST.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:104): avc:  denied  { write } for  pid=2111 comm="samba-dcerpcd" name="slapd-IPA-TEST.socket" dev="tmpfs" ino=1007 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:105): avc:  denied  { sendto } for  pid=2111 comm="samba-dcerpcd" path="/run/systemd/journal/dev-log" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.565:105): avc:  denied  { write } for  pid=2111 comm="samba-dcerpcd" name="dev-log" dev="tmpfs" ino=46 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.566:106): avc:  denied  { search } for  pid=2111 comm="samba-dcerpcd" name="krb5" dev="vda4" ino=25166407 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:107): avc:  denied  { open } for  pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:107): avc:  denied  { read } for  pid=2111 comm="samba-dcerpcd" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.567:109): avc:  denied  { getattr } for  pid=2111 comm="samba-dcerpcd" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.864:110): avc:  denied  { open } for  pid=2122 comm="rpcd_lsad" path="/etc/krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.864:110): avc:  denied  { read } for  pid=2122 comm="rpcd_lsad" name="krb5.conf" dev="vda4" ino=8389406 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:111): avc:  denied  { open } for  pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:111): avc:  denied  { read } for  pid=2122 comm="rpcd_lsad" name="openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.869:112): avc:  denied  { getattr } for  pid=2122 comm="rpcd_lsad" path="/etc/pki/tls/openssl.cnf" dev="vda4" ino=25166461 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:113): avc:  denied  { open } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:113): avc:  denied  { read } for  pid=2166 comm="rpcd_lsad" name="krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:114): avc:  denied  { lock } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1655205684.981:115): avc:  denied  { getattr } for  pid=2166 comm="rpcd_lsad" path="/run/samba/krb5cc_samba" dev="tmpfs" ino=1077 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:smbd_var_run_t:s0 tclass=file permissive=1
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 9 Alexander Bokovoy 2022-06-14 11:29:43 UTC

Zdenek,

samba-dcerpcd should have the same policy as winbindd and smbd. samba-dcerpcd is a new daemon in Samba suite that runs code which was in past part of smbd.
We need the same in Fedora as well, if it is not there yet.

Comment 11 Zdenek Pytela 2022-06-17 16:59:32 UTC

(In reply to Alexander Bokovoy from comment #9)
> Zdenek,
> 
> samba-dcerpcd should have the same policy as winbindd and smbd.
> samba-dcerpcd is a new daemon in Samba suite that runs code which was in
> past part of smbd.
> We need the same in Fedora as well, if it is not there yet.
Alexandr,

We almost always put update to rawhide first. samba-dcerpcd has been confined following the description in
https://www.samba.org/samba/history/samba-4.16.0.html
and the updates are ready also for f36.
The policy for rpcd services differs a bit as well as smbd and winbind differs, but share similar resources.

Comment 13 Zdenek Pytela 2022-06-24 13:54:42 UTC

Commit to backport:
commit e6584a21427a408c09781f2c5cf978b0f18db1cc
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 17 18:34:28 2022 +0200

    Update samba-dcerpcd policy for kerberos usage

Comment 21 Zdenek Pytela 2022-06-29 09:08:32 UTC

The commit has not actually been backported:
commit 837f63743214363362334e910dcb06d35cd5cb99
Author: Zdenek Pytela <zpytela>
Date:   Mon Jun 27 17:22:40 2022 +0200

    Update samba-dcerpcd policy for kerberos usage 2

Comment 29 errata-xmlrpc 2022-11-15 11:13:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283

Note You need to log in before you can comment on or make changes to this bug.