All,

Is there a packaging problem on the latest version of RHEL8 sssd?

On several of our RHEL8 servers during the last update cycle, sssd logins start failing.  It appears to be when upgrading to version sssd-2.9.1-4.0.1.el8_9.x86_64.

Upon deep dive, it turns out the sssd-kcm RPM is missing.    

The sssd-kcm service fails to start, complaining about missing symbols in /usr/libexec/sssd_kcm file.

Sure enough, there is a problem with that file:

[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm

file /usr/libexec/sssd/sssd_kcm is not owned by any package

Once the sssd-kcm RPM is installed,  then this looks normal:

[root@mftplat1wplp105 ~]# rpm -qf /usr/libexec/sssd/sssd_kcm

sssd-kcm-2.9.1-4.0.1.el8_9.x86_64

Then sssd-kcm service will restart fine.  and then sssd logins again work fine.

Also, it appears that a yum downgrade of sssd seems to work too -- presumably because this downgrade also triggers an install of sssd-kcm RPM.

I see that the sssd RPM has no direct explicit RPM dependency on sssd-kcm.  But is there some indirect or implied dependency that was missed on this latest packaging for sssd-2.9.1-4.0.1.el8_9.x86_64?

We've run sssd for years and never had significant sssd-kcm problems until last month.

BTW, another clue that it was KCM is that 'kinit -k' fails with error:

# knit -k

Cannot update default cache

But if you tell it to store creds under /tmp, it works:

# export KRB5CCNAME="FILE:/tmp/krb5cc_0"

# kinit -k

Spike

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue