On (14/02/17 18:28), Alexander Bokovoy wrote: >On ti, 14 helmi 2017, Nuno Higgs wrote: >> Hello, >> >> It worked perfecty. >> I am wondering why this just popped up now with this patch update. Almost >> none of our containers hosts (and by inherence the containers) have SELINUX >> enabled for they are primary for testing, and they are on a secure network. >> With this version of ipa-client, the host has to have SE enabled for the >> container to inherit the definitions and policies of it? >As I said, this was an update in SELinux-related libraries and change of >behavior there, not in SSSD. It is reproducible in other environments as >well, see, f.e. https://bugzilla.redhat.com/show_bug.cgi?id=1415167 > Sorry you are wrong. This is a different bug. https://bugzilla.redhat.com/show_bug.cgi?id=1412717 which is unfortunatelly private.
Here is an upstream ticket https://fedorahosted.org/sssd/ticket/3308 The interesting is that some user reported that downgrade of ipa python packages fixed the bug as well. 12:23 < lfisher> lslebodn: well the problematic users seem to be ones that haven't been on the host before 12:23 < lfisher> I also noticed if I updated the package, so I did an ipa downgrade on the host (or version change) it started working temporarily 12:24 < lslebodn> which package? 12:25 < lslebodn> sssd? 12:25 < lslebodn> libsemanage? 12:27 < lfisher> well, the ipa-client package and everything that it depends on, so it's like 7 packages 12:27 < lfisher> which may have libsemanage in it, let me check 12:27 < lslebodn> ipa-client is just an installator 12:28 < lslebodn> all important things are done by sssd 12:29 < lfisher> lslebodn: Give me a sec and I'll pull the package list out ... 12:34 < lfisher> ipa-client, ipa-client-common, ipa-common, python2-ipalib, python2-ipaclient 12:34 < lfisher> a downgrade of those solved the problem tempoarily 12:40 < lslebodn> that's weird 12:41 < lslebodn> they are not used by sssd 12:41 < lslebodn> and they should not affect sssd 12:45 < lfisher> lslebodn: yeah, it didn't really make sense, but since even a restart sometimes solves the problem, it just probably kicked something LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project