All,
Is there a packaging problem on the latest version of RHEL8 sssd?
On several of our RHEL8 servers during the last update cycle, sssd logins
start failing. It appears to be when upgrading to version
sssd-2.9.1-4.0.1.el8_9.x86_64.
Upon deep dive, it turns out the sssd-kcm RPM is missing.
The sssd-kcm service fails to start, complaining about missing symbols in
/usr/libexec/sssd_kcm file.
Sure enough, there is a problem with that file:
[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm
file /usr/libexec/sssd/sssd_kcm is not owned by any package
Once the sssd-kcm RPM is installed, then this looks normal:
[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm
sssd-kcm-2.9.1-4.0.1.el8_9.x86_64
Then sssd-kcm service will restart fine. and then sssd logins again work
fine.
Also, it appears that a yum downgrade of sssd seems to work too --
presumably because this downgrade also triggers an install of sssd-kcm RPM.
I see that the sssd RPM has no direct explicit RPM dependency on sssd-kcm.
But is there some indirect or implied dependency that was missed on this
latest packaging for sssd-2.9.1-4.0.1.el8_9.x86_64?
We've run sssd for years and never had significant sssd-kcm problems until
last month.
BTW, another clue that it was KCM is that 'kinit -k' fails with error:
# knit -k
Cannot update default cache
But if you tell it to store creds under /tmp, it works:
# export KRB5CCNAME="FILE:/tmp/krb5cc_0"
# kinit -k
Spike