Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 613833 - slapi-nis fails to load with 389-ds 1.2.6
slapi-nis fails to load with 389-ds 1.2.6
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: slapi-nis (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 389_1.2.6
  Show dependency treegraph
 
Reported: 2010-07-12 18:15 EDT by Rob Crittenden
Modified: 2015-12-22 12:01 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 12:01:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch (995 bytes, patch)
2010-07-13 14:30 EDT, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Rob Crittenden 2010-07-12 18:15:26 EDT
Description of problem:

If the nis-server plugin is enabled the 389-ds will fail to start:

[12/Jul/2010:18:12:12 -0400] nis-plugin - error connecting rpcbind client socket to the service
[12/Jul/2010:18:12:12 -0400] nis-plugin - error creating portmap/rpcbind client socket
[12/Jul/2010:18:12:12 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed
[12/Jul/2010:18:12:12 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config"

Version-Release number of selected component (if applicable):
slapi-nis-0.17-4.fc12.x86_64
389-ds-base-1.2.6-0.5.rc3.fc12.x86_64

Additional info:

This doesn't appear to be an ABI problem. I rebuilt the plugin against 1.2.6 and it still fails to load.
Comment 1 Nalin Dahyabhai 2010-07-12 18:55:19 EDT
Is rpcbind running?  This is the expected behavior if it isn't running, or there's some error registering with it.

Aside: if you're just using this for testing purposes, you can set "nis_plugin_continue_without_portmap_for_testing_only_no_i_really_mean_that=1" in the environment to continue past the error.  Clients won't be able to ask rpcbind which port the NIS server will answer, but the in-tree tests already know which port to use, so
Comment 2 Rob Crittenden 2010-07-13 08:57:19 EDT
Running:

# service rpcbind status
rpcbind (pid 765) is running...

So I poked at it some more:

# service dirsrv start
Starting dirsrv: 
    GREYOAK-COM...[13/Jul/2010:08:54:03 -0400] nis-plugin - error connecting rpcbind client socket to the service
[13/Jul/2010:08:54:04 -0400] nis-plugin - error creating portmap/rpcbind client socket
[13/Jul/2010:08:54:04 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed
[13/Jul/2010:08:54:04 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config"
                                                           [FAILED]
  *** Warning: 1 instance(s) failed to start

This is an SELinux issue:

type=AVC msg=audit(1279025644.254:1156): avc:  denied  { name_bind } for  pid=2427 comm="ns-slapd" src=890 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket

So the question is, do we try to get this into the system policy or add it to the IPA policy?
Comment 3 Nalin Dahyabhai 2010-07-13 10:36:24 EDT
I guess, as a directory server plugin, it goes wherever the policy for dirsrv_t is defined.
Comment 4 Nalin Dahyabhai 2010-07-13 13:03:49 EDT
Nathan, can we update the policy to let the server bind to UDP ports in the range named "hi_reserved_port_t"?
Comment 5 Rob Crittenden 2010-07-13 13:34:48 EDT
Alternatively I have no problem fixing this in the IPA policy, its just that as a standalone package slapi-nis wouldn't work with SELinux. Perhaps a README would address that if I fix it in IPA?
Comment 6 Daniel Walsh 2010-07-13 13:44:54 EDT
corenet_tcp_bind_all_rpc_ports(dirsrv_t)

Should fix the problem.
Comment 7 Nalin Dahyabhai 2010-07-13 14:00:28 EDT
(In reply to comment #5)
> Alternatively I have no problem fixing this in the IPA policy, its just that as
> a standalone package slapi-nis wouldn't work with SELinux. Perhaps a README
> would address that if I fix it in IPA?    

That wouldn't really be a suitable fix for the Fedora packages, though.  I'd expect 389-ds-base to be usable outside of an IPA context, either with or without this plugin.
Comment 8 Nalin Dahyabhai 2010-07-13 14:13:58 EDT
(In reply to comment #6)
> corenet_tcp_bind_all_rpc_ports(dirsrv_t)
> 
> Should fix the problem.    

After some out of band conversation, I think we'll need corenet_udp_bind_all_rpc_ports(dirsrv_t), too.
Comment 9 Nathan Kinder 2010-07-13 14:30:02 EDT
Created attachment 431547 [details]
Patch
Comment 10 Nathan Kinder 2010-07-13 14:33:37 EDT
Pushed to master and 389-ds-base-1.2.6 branches under the trivial fix rule.

Counting objects: 7, done.
Delta compression using 2 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 484 bytes, done.
Total 4 (delta 3), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   f1d509e..b7a93e6  master -> master

Counting objects: 7, done.
Delta compression using 2 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 486 bytes, done.
Total 4 (delta 3), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   2570fbb..7b23290  126-local -> 389-ds-base-1.2.6
Comment 11 Bug Zapper 2011-06-01 10:05:57 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Bug Zapper 2011-06-29 09:37:40 EDT
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 13 Rob Crittenden 2011-06-29 15:35:26 EDT
I believe that this has been addressed.
Comment 14 Jan Kurik 2015-12-22 06:28:07 EST
This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide.

Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016.
Comment 15 Noriko Hosoi 2015-12-22 12:01:31 EST
Since the status is MODIFIED, the fix is already included in the current releases.  I'm closing this bug with CURRENTRELEASE.
Thanks.

Note You need to log in before you can comment on or make changes to this bug.