We were able to solve that by running the sidgen manually, following
this guide
https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#t...
It seems that the staging instance is now running as it should.
Ok, that's good. FYI RHEL bugs should be filed in the RHEL JIRA project
against the affected component.
rob
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
>
>
> On 30. 11. 23 16:38, Rob Crittenden wrote:
>> Michal Konecny wrote:
>>>
>>> On 30. 11. 23 16:01, Rob Crittenden wrote:
>>>> Michal Konecny via FreeIPA-users wrote:
>>>>> Hi,
>>>>>
>>>>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>>>>> issue
https://access.redhat.com/solutions/7015184.
>>>> How did you upgrade from Fedora staging to RHEL 9? What does that
>>>> mean?
>>> I was following this guide
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>>>
>> So this is the Fedora project IPA staging system that you upgrading from
>> RHEL-8 to RHEL-9? The original statement sounded more like directly
>> upgrading Fedora -> RHEL.
> Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora
> staging IPA from RHEL8 to RHEL9.
>>
>>
>>>
>>> The fedora infra ticket for that is here
>>>
https://pagure.io/fedora-infrastructure/issue/10358
>>>>> To resolve that I tried to run `ipa config-mod --enable-sid
>>>>> --add-sids`,
>>>>> but it failed on
>>>>> `The ipa-enable-sid command failed, exception: PermissionError:
>>>>> [Errno
>>>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>>>>
>>>>> As expected this was SELinux issue
>>>>> ```
>>>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write }
for
>>>>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>>>>> scontext=system_u:system_r:ipa_helper_t:s0
>>>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>>>>> ```
>>>>>
>>>>> I tried to relabel the whole system to fix it, but the denial is
>>>>> still
>>>>> there. Did I miss something?
>>>>> Shouldn't IPA server had access to /etc?
>>>> This isn't the server. It is executed as an oddjob task which runs
>>>> in a
>>>> different context.
>>>>
>>>> It ensures that krb5.conf is setup correctly and apparently yours
>>>> is not
>>>> and tries to correct it but fails in making a backup.
>>>>
>>>> Can you file a JIRA ticket on this?
>>> I can, where should I file it?
>>
https://issues.redhat.com/secure/CreateIssue!default.jspa
>>
>> As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
>> context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
> Even changing the SELinux context didn't help:
> -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov
> 30 13:37 /etc/krb5.conf
> -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899
> Nov 30 15:49 /etc/krb5.conf.ipabkp
>
> I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by
> `ipa config-mod --enable-sid --add-sids`,
> but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
>>
>> Looks like you uncovered a bug and I don't want to lose track of it
>> while we work out a solution.
> I found the FreeIPA project on JIRA, but I'm unable to create issue in
> it.
> Do you want me to file issue under another project?
>>
>> thanks
>>
>> rob
>>
>