-
-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"SSSD binaries missing capabilities" like in Bazzite issue #1818 #2028
Comments
@karypid was still having problems too last time they checked into the Bazzite issue. |
From reading the parent issue it looks like I have all the capabilities that are supposed to be there?
|
AFAIK realm only supports adcli and samba for membership software, as per the following:
I am not familiar with the IPA client, but could you not use sssd/adcli and sssd/samba on the client side? It should work fine with a FreeIPA domain as that is supported. The problems you linked to have to do with the Fedora 40 (gts) channel. Stable and latest should work fine (as long as you are using supported client-side software options). |
To be clear, I have a similar setup on Bazzite 41 authenticating against the same FreeIPA system/realm and it works fine. My desktop is on Bazzite, and my laptop is on Bluefin. Bazzite works, Bluefin does not. I use the FreeIPA client because it integrates with FreeIPA more deeply. I tried with SELinux set to permissive, but still seem to get this:
|
Does One of the issues in the gts version was that |
Nope, and if I create it, FreeIPA returns the same error, but SELinux still screams. Even after creating kinit/Kerberos just seems broken in general. You can see it in the OP error: Reading the rechunk documentation, it seems to imply that SELinux can get really mangled by the rechunk process. I'm not really sure what information I can provide to assist with this case. Resolving SELinux cases broken by rechunk on a per case basis doesn't really seem sustainable/scalable. While some of the errors seem like they could be resolved upstream by tmpfiles entries, I'm not sure SELinux blocking access to files is something upstream can fix. |
Can you compare selinux packages between your working Bazzite and Bluefin?
If this is indeed related to SELinux, surely there are different policies in effect? Also does it work with SELinux in permissive mode? |
So, I learned how Then added freeipa-client to it with a really simple Containerfile:
Built it:
So the rechunk process (which SilverBlue isn't using?) breaks FreeIPA. It really sounds like the "gotchas" described in the rechunk git repository need to be evaluated more seriously. IMO it sounds like the choice to use rechunk should be reverted until that can be solved. |
So, as far as I can tell, this new version is trying to save space and among other things seems to "remove empty directories" from the image. This causes issues with programs that expect a folder to exist (with some selinux context) but otherwise be empty. This is why in my testing instructions here I mention:
I will let the developers/maintainers decide on what to do, but yes - something fishy seems to be happening with the new rechunk, but it is beyond my knowledge. The good news is that it seems one only needs to manually create missing folders for things to work.... |
/var is supposed to be basically empty on an image. What happens if you add a tmpfiles.d conf file to auto create the directory. Per packaging guidelines, you are not supposed to create files in /var |
I'm collecting information about all these directories and seeing if I can come up with a
|
Hi all, I posted an upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2332433 The response is ultimately that FreeIPA bundled in a rpm-ostree/bootc image cannot work in its current state. Please remove |
Thanks for doing the legwork on this! I'll keep the issue open to so we check it regularly! |
Describe the bug
Bluefin appears to still have the following issue which presented on Bazzite a few weeks ago: ublue-os/bazzite#1818
What did you expect to happen?
Successful FreeIPA client initialization.
Output of
bootc status
Output of
groups
Extra information or context
I then created
/var/lib/ipa-client/sysrestore/sysrestore.state
(which should be automatic), but still:The text was updated successfully, but these errors were encountered: