Am 7. März 2018 21:08:05 MEZ schrieb "DiOrio, Max" 
>I have a slightly convoluted setup.  We use OpenNebula to deploy VM's,
>which has a customization piece.  The customization file used to run:
>kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab
>realm join --os-name='RedHat Enterprise Linux'
>Download and extract nsswich.conf and sssd.conf to the appropriate
>Service sssd restart
>This has worked flawlessly for months.  Now we decided to implement
>SpaceWalk for better control over patching and config file management. 
>So I moved the domain join script over to a configuration channel, and
>now instead of running the join directly, OpenNebula customization
>pulls down and runs my Spacewalk bootstrap.
>I have my bootstrap script pulling down a managed configuration file
>which is a script to /usr/opt/bin/domainjoin  (root:root 755).  At the
>end of the bootstrap script, I run the script it downloaded.
>The script is quite simple.
>rhncfg-client get /tmp/svc_sc_user.keytab
>kinit svc_sc_user@DOMAIN -k -t /tmp/svc_sc_user.keytab
>realm join --os-name='RedHat Enterprise Linux'
>rm /tmp/svc_sc_user.keytab
>rhncfg-client get /etc/sssd/sssd.conf
>rhncfg-client get /etc/nsswitch.conf
>service sssd restart
>When running the script manually logged in as root, everything works
>When running through the OpenNebula customization and running
>bootstrap, it claims it joins the domain, but fails to create the
>/etc/krb5.keytab file, never actually joins the domain and sssd fails
>to start.
>I'm completely baffled by this.  How does the same essential script
>work fine from OpenNebula config, but not from the script downloaded
>via boostrap?
>Max DiOrio
>Global Systems Administrator
>201 Fuller Road, Suite 202
>Albany, NY 12203-3621
>Phone: +518-238-6516 | Mobile: +518-944-5289

This sounds, as if the script is not executed as root. 

Also maybe selinux might be a problem, as the configuration jobs are called by 
"rhnsd" (or osad?) and there might be a "profile" for it?

Maybe you could test deployment with selinux set to disabled once?


sent from my mobile device

Spacewalk-list mailing list

Reply via email to