Hi, I have boot problem when i combine a ipa-client-install with 'authconfig --enablenis --update' According to the ovirt/RHEV docs [1] I have to do this to make SSO to the VM possible.
Messages during boot are: Failed to start RealtimeKit for Policy Services Failed to start Authorization Manager Dependency failed for Dynamic System tuning deamon
My setup is: All systems Centos 7.3(1611) oVirt 4.1 IPA server 4.4 IPA client 4.4
If i use an old VM with Centos 7.2(1511) and ipa-client 4.2 there are no problems and SSO is working so oVirt and IPA seem to be configured correct.
My findings so far: - Centos 7.3 does not include ypbind. If i install manually it sometimes boots (but takes a long time) but the other times stops at same point as mentioned before. This could imply some kind of race condition during boot. - I tried different versions of ipa-client (ipa-client-4.4.0-12.el7.centos.x86_64 up to ipa-client-4.4.0-14.el7.centos.7.x86_64) none worked. Older versions i could not find anymore.
Can anyone comfirm my findings or point me in some direction?
Kind regards,
Paul
[1]https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm...
On Wed, May 31, 2017 at 10:18:46AM -0000, paul--- via FreeIPA-users wrote:
Hi, I have boot problem when i combine a ipa-client-install with 'authconfig --enablenis --update' According to the ovirt/RHEV docs [1] I have to do this to make SSO to the VM possible.
Messages during boot are: Failed to start RealtimeKit for Policy Services Failed to start Authorization Manager Dependency failed for Dynamic System tuning deamon
My setup is: All systems Centos 7.3(1611) oVirt 4.1 IPA server 4.4 IPA client 4.4
If i use an old VM with Centos 7.2(1511) and ipa-client 4.2 there are no problems and SSO is working so oVirt and IPA seem to be configured correct.
My findings so far:
- Centos 7.3 does not include ypbind. If i install manually it sometimes boots (but takes a long time) but the other times stops at same point as mentioned before. This could imply some kind of race condition during boot.
Please note that the --enablenis switch has (confusingly) not much to do with NIS. It 'just' configures the PAM stack so that the options are a bit different and the password is passed through to pam_sss.
What you are really hitting is https://bugzilla.redhat.com/show_bug.cgi?id=1327085
which will be fixed in 7.4.
But I'm not sure why wouldn't the workaround work. Installing ypbind is definitely not the right thing to do and it's actually what causes the issues during boot. The problem is really in the PAM stack.
If you don't install ypbind, but run the workaround, is there anything in /var/log/secure coming from gdm-ovirtcred?
- I tried different versions of ipa-client (ipa-client-4.4.0-12.el7.centos.x86_64 up to ipa-client-4.4.0-14.el7.centos.7.x86_64) none worked. Older versions i could not find anymore.
Can anyone comfirm my findings or point me in some direction?
Kind regards,
Paul
[1]https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/htm... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Jakub, Thanks for clearing this out and pointing out ypbind is the wrong direction. What do you mean with 'the workaround'? Do mean use of 'authconfig --enablenis --update'? The combination of Centos 7.3 with ipa-client 4.4 and that workaround results in a hanging boot with the following errors and no login: Failed to start RealtimeKit for Policy Services Failed to start Authorization Manager Dependency failed for Dynamic System tuning deamon Failed to start Login Service Failed to start GNOME display Manager Starting terminate Plymouth boot screen
SSH works (but very slow login after 20 minutes) with the following content of /var/log/secure: May 31 22:25:26 ad02 userhelper[15096]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:25:26 ad02 userhelper[15096]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:30:54 ad02 userhelper[688]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:31:54 ad02 userhelper[688]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:34:03 ad02 userhelper[695]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:35:04 ad02 userhelper[695]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:35:54 ad02 userhelper[707]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:36:54 ad02 userhelper[707]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:37:04 ad02 userhelper[708]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:38:04 ad02 userhelper[708]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:42:03 ad02 userhelper[722]: pam_succeed_if(ovirt-locksession:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:42:54 ad02 userhelper[730]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:43:03 ad02 userhelper[722]: running '/usr/share/ovirt-guest-agent/LockActiveSession.py' with root privileges on behalf of 'ovirtagent' May 31 22:43:51 ad02 userhelper[730]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:44:51 ad02 userhelper[841]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:44:51 ad02 userhelper[841]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:45:51 ad02 userhelper[905]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:45:51 ad02 userhelper[905]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:47:51 ad02 userhelper[1138]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:47:51 ad02 userhelper[1138]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:48:22 ad02 sshd[1148]: Server listening on 0.0.0.0 port 22. May 31 22:48:22 ad02 sshd[1148]: Server listening on :: port 22. May 31 22:49:52 ad02 userhelper[2369]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:49:52 ad02 userhelper[2369]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:49:52 ad02 userhelper[2370]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:49:52 ad02 userhelper[2370]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:50:42 ad02 sshd[2392]: Accepted keyboard-interactive/pam for root from 10.0.2.65 port 34866 ssh2 May 31 22:51:08 ad02 sshd[2392]: pam_systemd(sshd:session): Failed to create session: Activation of org.freedesktop.login1 timed out May 31 22:51:08 ad02 sshd[2392]: pam_unix(sshd:session): session opened for user root by (uid=0)
hope this helps a bit, looking forward to your reply. Regards, Paul
I also tried a nev VM with clean Centos 7.2(1511) without any updates and ipa-client 4.4 plus 'authconfig --enablenis --update'. This also results in hanging boot. Making ipa-client4.4 my primary suspect. Unfortunatly I can not install any previous versions of ipa-client via yum (version 4.2 worked fine for me) I did find an ipa-client4.2.rpm but it fails on all kinds of dependencies that are also not available anymore.
On Wed, May 31, 2017 at 08:56:44PM -0000, paul--- via FreeIPA-users wrote:
Hi Jakub, Thanks for clearing this out and pointing out ypbind is the wrong direction. What do you mean with 'the workaround'? Do mean use of 'authconfig --enablenis --update'? The combination of Centos 7.3 with ipa-client 4.4 and that workaround results in a hanging boot with the following errors and no login: Failed to start RealtimeKit for Policy Services Failed to start Authorization Manager Dependency failed for Dynamic System tuning deamon Failed to start Login Service Failed to start GNOME display Manager Starting terminate Plymouth boot screen
SSH works (but very slow login after 20 minutes) with the following content of /var/log/secure: May 31 22:25:26 ad02 userhelper[15096]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:25:26 ad02 userhelper[15096]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:30:54 ad02 userhelper[688]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:31:54 ad02 userhelper[688]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:34:03 ad02 userhelper[695]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:35:04 ad02 userhelper[695]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:35:54 ad02 userhelper[707]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:36:54 ad02 userhelper[707]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:37:04 ad02 userhelper[708]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:38:04 ad02 userhelper[708]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:42:03 ad02 userhelper[722]: pam_succeed_if(ovirt-locksession:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:42:54 ad02 userhelper[730]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:43:03 ad02 userhelper[722]: running '/usr/share/ovirt-guest-agent/LockActiveSession.py' with root privileges on behalf of 'ovirtagent' May 31 22:43:51 ad02 userhelper[730]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:44:51 ad02 userhelper[841]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:44:51 ad02 userhelper[841]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:45:51 ad02 userhelper[905]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:45:51 ad02 userhelper[905]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:47:51 ad02 userhelper[1138]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:47:51 ad02 userhelper[1138]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:48:22 ad02 sshd[1148]: Server listening on 0.0.0.0 port 22. May 31 22:48:22 ad02 sshd[1148]: Server listening on :: port 22. May 31 22:49:52 ad02 userhelper[2369]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:49:52 ad02 userhelper[2369]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent' May 31 22:49:52 ad02 userhelper[2370]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent" May 31 22:49:52 ad02 userhelper[2370]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent' May 31 22:50:42 ad02 sshd[2392]: Accepted keyboard-interactive/pam for root from 10.0.2.65 port 34866 ssh2 May 31 22:51:08 ad02 sshd[2392]: pam_systemd(sshd:session): Failed to create session: Activation of org.freedesktop.login1 timed out May 31 22:51:08 ad02 sshd[2392]: pam_unix(sshd:session): session opened for user root by (uid=0)
I admit I'm getting a bit out of my depth, because I've actually never tried this myself, only debugged on IRC with the engineer who hit the issue first with RHEV-M. But these messages make it look like dbus or logind failed to start for some reason. I wouldn't expect the --enablenis --update to make a difference there -- does it also change nsswitch.conf in any way? Are there any interesting logs in /var/log/messages?
Hi Jakub, When i install a VM with Centos 7.3 and only install ipa-client4.4 (without --enablenis) it boots without any problem. So somewhere the workaround makes something different. When i look at the /var/log/message the first error/time-out looks like:
Jun 1 13:01:49 ad02 systemd: Reached target Basic System. Jun 1 13:01:49 ad02 systemd: Starting Basic System. Jun 1 13:01:49 ad02 systemd: Starting Dump dmesg to /var/log/dmesg... Jun 1 13:01:49 ad02 systemd: Started D-Bus System Message Bus. Jun 1 13:01:50 ad02 lvm: 2 logical volume(s) in volume group "cl" now active Jun 1 13:02:14 ad02 systemd: Failed to register match for Disconnected message: Connection timed out Jun 1 13:02:39 ad02 systemd: Failed to register match for Disconnected message: Connection timed out Jun 1 13:02:39 ad02 systemd: Starting D-Bus System Message Bus... Jun 1 13:02:39 ad02 systemd: Starting GSSAPI Proxy Daemon...
I already reported [1] that SSO to VM does not work with Centos7.3 and IPA. Some PAM stack suggestions where already mentioned, but did not work either.
Regards,
Paul
freeipa-users@lists.fedorahosted.org