If rpm-ostree-based image includes sssd-ipa, the resulting /usr/libexec/sssd/selinux_child does not have expected file capabilities present: # getcap -v /usr/libexec/sssd/*child /usr/libexec/sssd/gpo_child /usr/libexec/sssd/krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep /usr/libexec/sssd/ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep /usr/libexec/sssd/oidc_child /usr/libexec/sssd/p11_child /usr/libexec/sssd/passkey_child /usr/libexec/sssd/proxy_child /usr/libexec/sssd/selinux_child The capabilities are present in the RPM database: $ rpm -q --filecaps sssd-ipa | grep selinux_child /usr/libexec/sssd/selinux_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep Lack of capabilities on the selinux_child causes PAM account phase to fail: (2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020): [RID#5] selinux_child_parse_response failed: [22][Invalid argument] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-10-21 10:11:05): [be[example.test]] [sdap_handle_release] (0x2000): Trace: sh[0x56040e7054d0], connected[1], ops[(nil)], ldap[0x56040e74efb0], destructor_lock[0], release_memory[0] * (2024-10-21 10:11:05): [be[example.test]] [remove_connection_callback] (0x4000): Successfully removed connection callback. * (2024-10-21 10:11:05): [be[example.test]] [_read_pipe_handler] (0x0400): [RID#5] EOF received, client finished * (2024-10-21 10:11:05): [be[example.test]] [selinux_child_done] (0x0020): [RID#5] selinux_child_parse_response failed: [22][Invalid argument] ********************** BACKTRACE DUMP ENDS HERE ********************************* Reproducible: Always Steps to Reproduce: 1. Build an image with sssd-ipa package installed 2. Rebase to this image with rpm-ostree rebase REFSPEC 3. Enroll the system to IPA domain 4. Attempt to login as IPA user Actual Results: Failure to login, with a result in the logs 'System error' Expected Results: Login to system with IPA user is successful
A workaround at this point is to switch off selinux_provider in IPA domain definition in sssd configuration: [domain/example.test] ... selinux_provider = none This workaround requires being able to login as root. Since the whole system image is immutable, an alternative could be to make it mutable and set required capabilities manually. The latter will then be lost on next automated image rebase, sadly.
The loss of file capabilities for images built on top of the base Fedora rpm-ostree image is documented in https://github.com/hhd-dev/rechunk/issues/2 which is a collection of various issues with rpm-ostree/bootc build process. This bug should be considered a blocker for supporting proper working SSSD and FreeIPA under rpm-ostree and bootc environments. As default Fedora bootc image would not have FreeIPA packages installed, users always need to build a new image and thus will be affected by these issues.
This - losing file capabilities defined in spec-file - doesn't look like SSSD bug, rather general issue of rpm-ostree. Please change component back if there is a known pattern package should follow to solve this.
FEDORA-2024-88b4110a60 (bootc-1.1.2-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-88b4110a60
bootc is the focus for containerized deployments. https://github.com/coreos/rpm-ostree/pull/5145 includes the fix for rpm-ostree, but we haven't yet done a release.
FEDORA-2024-88b4110a60 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-88b4110a60` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-88b4110a60 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-88b4110a60 (bootc-1.1.2-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.