I'm not familiar with those tests, but clicking around:

(2024-12-10 11:35:37): [be[test.openqa.fedoraproject.org]] [selinux_child_done] (0x0020): [RID#8] Error in selinux_child: [1][Operation not permitted]

at least some of those tests are due to https://github.com/fedora-selinux/selinux-policy/issues/2455

Some looks like infra failure?

(12:36:28): [be_resolve_server_process] (0x0200): Found address for server ipa001.test.openqa.fedoraproject.org: [172.16.2.100] TTL 1109
(12:36:28): [sssd_async_socket_init_send] (0x4000): Using file descriptor [22] for the connection.
(12:36:28): [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout [ldap_network_timeout] for connecting
(12:36:34): [sssd_async_connect_timeout] (0x0100): The connection timed out [ldap_network_timeout]
(12:36:34): [sssd_async_socket_init_done] (0x0040): sdap_async_sys_connect request failed: [110]: Connection timed out [ldap_network_timeout].

Works (not giving +1 because of test failures).

I'm not sure whether I'm imagining things here, but it seems that downgrading to previous version of sssd breaks things. Apparently, something about permissions of the ini file not being right. This causes sssd and its minions like kcm to fail when starting, which then promptly breaks user DB (in my case LDAP/krb5).

Stuff like this on downgrade:

Dec 11 16:09:55 systemd[1]: Starting sssd.service - System Security Services Daemon...
Dec 11 16:09:56 sssd[906]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Dec 11 16:09:56 sssd[906]: Can't read config: 'File ownership and permissions check failed'
Dec 11 16:09:56 systemd[1]: sssd.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Dec 11 16:09:56 systemd[1]: sssd.service: Failed with result 'exit-code'.
Dec 11 16:09:56 systemd[1]: Failed to start sssd.service - System Security Services Daemon.

The openQA test is not designed to do any kind of downgrade (and only would if the package versions were incorrect somehow). See https://bodhi.fedoraproject.org/updates/FEDORA-2024-61dea2e6ce#comment-3863847 for what I found, looking around the logs in the failure on the Rawhide update.

@atikhonov there is no "infra" to speak of here, ipa001.test.openqa.fedoraproject.org is not really part of fedora infra, it is just another job in the openQA cluster. if communication to it weren't working, the test would've failed earlier in different ways, most likely (enrolling the client would not have worked at all).

Thanks @adamwill. The downgrade was something I did locally (by accident, to be honest). Maybe the config file had 0600 before and is now 0640, which upsets the previous version.

in upgrade_realmd_client I can see time desync between the client and the server:

   *  (2024-12-10 13:06:32): [krb5_child[2211]] [check_fast_ccache] (0x0200): [RID#58] FAST TGT is still valid.
...
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [tgt_req_child] (0x1000): [RID#58] Attempting to get a TGT
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [get_and_save_tgt] (0x0400): [RID#58] Attempting kinit for realm [TEST.OPENQA.FEDORAPROJECT.ORG]
   *  (2024-12-10 13:06:32): [krb5_child[2211]] [get_and_save_tgt] (0x0020): [RID#58] 2352: [-1765328351][Error constructing AP-REQ armor: Ticket not yet valid]

Maybe the config file had 0600 before and is now 0640, which upsets the previous version.

Right: https://github.com/SSSD/sssd/commit/8472777ec472607ea450ddb4c4666017bd0de704

Wrt failing 'rpminspect': https://github.com/rpminspect/rpminspect-data-fedora/pull/61

https://github.com/fedora-selinux/selinux-policy/pull/2469 was merged upstream and should be included in Fedora soon.

ok

This update has been unpushed.

I'm unpushing the changes. Once SELinux policy is fixed we'll try again. Thank you everybody for the feedback.

@pbrezina, you may want to include a scriptlet that reverts ini file permissions to 0600 on downgrade below 2.10.1 to avoid breaking existing machines.

@pbrezina, looks like SELinux policy update has been queued. Didn't check whether it includes a fix for sssd.

looks like SELinux policy update has been queued. Didn't check whether it includes a fix for sssd.

It does contain fix for SSSD. We'll re-push the build once selinux policy update in the compose.

Hi @bojan,

Thank you for the heads-up. Once the SELinux policy update is stabilized I'll take care of pushing back this build for testing.

I still think that this package should revert permissions of sssd.conf to 0600 on downgrade to a version below itself. Without that, it can break authentication for anyone rolling back a set of updates. Think about doing something like that at scale. It could render a whole fleet of machines inaccessible.

Works great! LGTM! =)