Michal Konecny wrote: > We were able to solve that by running the sidgen manually, following > this guide > https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#troubleshooting-and-debugging > > > It seems that the staging instance is now running as it should.
Ok, that's good. FYI RHEL bugs should be filed in the RHEL JIRA project against the affected component. rob > > Michal > > On 30. 11. 23 17:00, Michal Konecny wrote: >> >> >> On 30. 11. 23 16:38, Rob Crittenden wrote: >>> Michal Konecny wrote: >>>> >>>> On 30. 11. 23 16:01, Rob Crittenden wrote: >>>>> Michal Konecny via FreeIPA-users wrote: >>>>>> Hi, >>>>>> >>>>>> I upgraded Fedora staging environment to RHEL 9 and encountered this >>>>>> issue https://access.redhat.com/solutions/7015184. >>>>> How did you upgrade from Fedora staging to RHEL 9? What does that >>>>> mean? >>>> I was following this guide >>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/migrating_to_identity_management_on_rhel_9/index#migrating_idm_from_rhel_8_to_rhel_9 >>>> >>> So this is the Fedora project IPA staging system that you upgrading from >>> RHEL-8 to RHEL-9? The original statement sounded more like directly >>> upgrading Fedora -> RHEL. >> Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora >> staging IPA from RHEL8 to RHEL9. >>> >>> >>>> >>>> The fedora infra ticket for that is here >>>> https://pagure.io/fedora-infrastructure/issue/10358 >>>>>> To resolve that I tried to run `ipa config-mod --enable-sid >>>>>> --add-sids`, >>>>>> but it failed on >>>>>> `The ipa-enable-sid command failed, exception: PermissionError: >>>>>> [Errno >>>>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'` >>>>>> >>>>>> As expected this was SELinux issue >>>>>> ``` >>>>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for >>>>>> pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 >>>>>> scontext=system_u:system_r:ipa_helper_t:s0 >>>>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 >>>>>> ``` >>>>>> >>>>>> I tried to relabel the whole system to fix it, but the denial is >>>>>> still >>>>>> there. Did I miss something? >>>>>> Shouldn't IPA server had access to /etc? >>>>> This isn't the server. It is executed as an oddjob task which runs >>>>> in a >>>>> different context. >>>>> >>>>> It ensures that krb5.conf is setup correctly and apparently yours >>>>> is not >>>>> and tries to correct it but fails in making a backup. >>>>> >>>>> Can you file a JIRA ticket on this? >>>> I can, where should I file it? >>> https://issues.redhat.com/secure/CreateIssue!default.jspa >>> >>> As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the >>> context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe). >> Even changing the SELinux context didn't help: >> -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov >> 30 13:37 /etc/krb5.conf >> -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899 >> Nov 30 15:49 /etc/krb5.conf.ipabkp >> >> I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by >> `ipa config-mod --enable-sid --add-sids`, >> but no denial in `/var/log/messages` or `/var/log/audit/audit.log` >>> >>> Looks like you uncovered a bug and I don't want to lose track of it >>> while we work out a solution. >> I found the FreeIPA project on JIRA, but I'm unable to create issue in >> it. >> Do you want me to file issue under another project? >>> >>> thanks >>> >>> rob >>> >> > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue