On (14/02/17 18:28), Alexander Bokovoy wrote:
>On ti, 14 helmi 2017, Nuno Higgs wrote:
>> Hello,
>> 
>> It worked perfecty.
>> I am wondering why this just popped up now with this patch update. Almost
>> none of our containers hosts (and by inherence the containers) have SELINUX
>> enabled for they are primary for testing, and they are on a secure network.
>> With this version of ipa-client, the host has to have SE enabled for the
>> container to inherit the definitions and policies of it?
>As I said, this was an update in SELinux-related libraries and change of
>behavior there, not in SSSD. It is reproducible in other environments as
>well, see, f.e. https://bugzilla.redhat.com/show_bug.cgi?id=1415167
>
Sorry you are wrong.
This is a different bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1412717
which is unfortunatelly private.

Here is an upstream ticket https://fedorahosted.org/sssd/ticket/3308

The interesting is that some user reported that downgrade of
ipa python packages fixed the bug as well.

12:23 < lfisher> lslebodn: well the problematic users seem to be ones that
haven't been on the host before
12:23 < lfisher> I also noticed if I updated the package, so I did an ipa
downgrade on the host (or version change) it started working temporarily
12:24 < lslebodn> which package?
12:25 < lslebodn> sssd?
12:25 < lslebodn> libsemanage?
12:27 < lfisher> well, the ipa-client package and everything that it depends
on, so it's like 7 packages
12:27 < lfisher> which may have libsemanage in it, let me check
12:27 < lslebodn> ipa-client is just an installator
12:28 < lslebodn> all important things are done by sssd
12:29 < lfisher> lslebodn: Give me a sec and I'll pull the package list out
...
12:34 < lfisher> ipa-client, ipa-client-common, ipa-common, python2-ipalib,
python2-ipaclient
12:34 < lfisher> a downgrade of those solved the problem tempoarily
12:40 < lslebodn> that's weird
12:41 < lslebodn> they are not used by sssd
12:41 < lslebodn> and they should not affect sssd
12:45 < lfisher> lslebodn: yeah, it didn't really make sense, but since
  even a restart sometimes solves
  the problem, it just probably kicked something

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to