I have set up a Fedora server VM to join AD in order to manage authentication and authorization using SSSD. As a small QoL improvement it would be nice to set the default domain suffix in SSSD, however this causes connections made to the WebUI with the domain excluded to close after requesting administrative access.
Problem can be reproduced as follows:
Create a Fedora 40 virtual machine
Join an active directory domain using realm join
Edit /etc/sssd/sssd.conf to add the line default_domain_suffix = domain.example
Log in on the cockpit web interface with an active directory user without the domain suffix (user instead of user@domain.example)
Cockpit logs me in correctly
Refreshing the page or attempting to turn on administrative access causes the connection to be disconnected and the user to be logged out. The page shows "Disconnected Server has closed the connection.".
When logging in while including the domain, everything works perfectly.
The first difference in the logs indicative of a problem seems to be the cockpit-session[1224]: pam_systemd(cockpit:session): Failed to get user record: No such process line with afterwards the python exception thrown by cockpit-bridge.
Due to the issue only ocurring when the default domain suffix is implicitly used, I do not believe that the issue is caused by anything specific to Active Directory. Although I have little experience with alternatives such as FreeIPA, I would be willing to set up a FreeIPA server to test if the issue persists, if that seems worthwhile in debugging the issue.
Version of Cockpit
~314~ 323 (problem persists after updating)
Where is the problem in Cockpit?
Accounts
Server operating system
Fedora
Server operating system version
40
What browsers are you using?
Firefox, Chrome
System log
Oct 08 15:14:54 server.domain.example systemd[1093]: Created slice background.slice - User Background Tasks Slice.
Oct 08 15:14:54 server.domain.example systemd[1093]: Starting systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories...
Oct 08 15:14:54 server.domain.example systemd[1093]: Finished systemd-tmpfiles-clean.service - Cleanup of User's Temporary Files and Directories.
Oct 08 15:15:18 server.domain.example systemd[1]: Starting cockpit-wsinstance-http.socket - Socket for Cockpit Web Service http instance...
Oct 08 15:15:18 server.domain.example systemd[1]: Starting cockpit-wsinstance-https-factory.socket - Socket for Cockpit Web Service https instance factory...
Oct 08 15:15:18 server.domain.example systemd[1]: Listening on cockpit-wsinstance-http.socket - Socket for Cockpit Web Service http instance.
Oct 08 15:15:18 server.domain.example systemd[1]: Listening on cockpit-wsinstance-https-factory.socket - Socket for Cockpit Web Service https instance factory.
Oct 08 15:15:18 server.domain.example audit: BPF prog-id=74 op=LOAD
Oct 08 15:15:18 server.domain.example systemd[1]: Starting cockpit.service - Cockpit Web Service...
Oct 08 15:15:18 server.domain.example systemd[1]: Started cockpit.service - Cockpit Web Service.
Oct 08 15:15:18 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:18 server.domain.example systemd[1]: Created slice system-cockpit\x2dwsinstance\x2dhttps\x2dfactory.slice - Slice /system/cockpit-wsinstance-https-factory.
Oct 08 15:15:18 server.domain.example systemd[1]: Started cockpit-wsinstance-https-factory@0-1211-992.service - Cockpit Web Service https instance factory (PID 1211/UID 992).
Oct 08 15:15:18 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit-wsinstance-https-factory@0-1211-992 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:18 server.domain.example systemd[1]: Created slice system-cockpit\x2dwsinstance\x2dhttps.slice - Slice /system/cockpit-wsinstance-https.
Oct 08 15:15:18 server.domain.example systemd[1]: Created slice system-cockpithttps.slice - Resource limits for all cockpit-ws-https@.service instances.
Oct 08 15:15:18 server.domain.example systemd[1]: Starting cockpit-wsinstance-https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.socket - Socket for Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855...
Oct 08 15:15:18 server.domain.example systemd[1]: Listening on cockpit-wsinstance-https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.socket - Socket for Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
Oct 08 15:15:18 server.domain.example systemd[1]: Started cockpit-wsinstance-https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.service - Cockpit Web Service https instance e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
Oct 08 15:15:18 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit-wsinstance-https@e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:18 server.domain.example systemd[1]: cockpit-wsinstance-https-factory@0-1211-992.service: Deactivated successfully.
Oct 08 15:15:18 server.domain.example audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=cockpit-wsinstance-https-factory@0-1211-992 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:22 server.domain.example krb5_child[1225]: Pre-authentication failed: Invalid argument
Oct 08 15:15:22 server.domain.example rsyslogd[869]: imjournal: journal files changed, reloading... [v8.2312.0-1.fc40 try https://www.rsyslog.com/e/0 ]
Oct 08 15:15:22 server.domain.example krb5_child[1226]: Pre-authentication failed: Invalid argument
Oct 08 15:15:22 server.domain.example systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Oct 08 15:15:22 server.domain.example systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Oct 08 15:15:22 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:22 server.domain.example sssd_kcm[1230]: Starting up
Oct 08 15:15:22 server.domain.example cockpit-session[1224]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:192.168.41.152 user=admin
Oct 08 15:15:22 server.domain.example audit[1224]: USER_AUTH pid=1224 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:authentication grantors=pam_usertype,pam_usertype,pam_sss acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example audit[1224]: USER_ACCT pid=1224 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:accounting grantors=pam_listfile,pam_unix,pam_sss,pam_permit acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example audit[1224]: CRED_ACQ pid=1224 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example audit[1224]: USER_ROLE_CHANGE pid=1224 uid=0 auid=1179001106 ses=3 subj=system_u:system_r:cockpit_session_t:s0 msg='op=pam_selinux default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example cockpit-session[1224]: pam_ssh_add: Failed adding some keys
Oct 08 15:15:22 server.domain.example cockpit-session[1224]: pam_systemd(cockpit:session): Failed to get user record: No such process
Oct 08 15:15:22 server.domain.example cockpit-session[1224]: pam_unix(cockpit:session): session opened for user admin(uid=1179001106) by admin@domain.example(uid=0)
Oct 08 15:15:22 server.domain.example audit[1224]: USER_START pid=1224 uid=0 auid=1179001106 ses=3 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_unix,pam_sss,pam_umask,pam_lastlog acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example audit[1224]: CRED_REFR pid=1224 uid=0 auid=1179001106 ses=3 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:22 server.domain.example sssd_nss[911]: Enumeration requested but not enabled
Oct 08 15:15:23 server.domain.example audit: BPF prog-id=75 op=LOAD
Oct 08 15:15:23 server.domain.example audit: BPF prog-id=76 op=LOAD
Oct 08 15:15:23 server.domain.example audit: BPF prog-id=77 op=LOAD
Oct 08 15:15:23 server.domain.example systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
Oct 08 15:15:23 server.domain.example systemd[1]: Started systemd-hostnamed.service - Hostname Service.
Oct 08 15:15:23 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:24 server.domain.example audit: BPF prog-id=78 op=LOAD
Oct 08 15:15:24 server.domain.example audit: BPF prog-id=79 op=LOAD
Oct 08 15:15:24 server.domain.example audit: BPF prog-id=80 op=LOAD
Oct 08 15:15:24 server.domain.example systemd[1]: Starting systemd-timedated.service - Time & Date Service...
Oct 08 15:15:24 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:24 server.domain.example systemd[1]: Started systemd-timedated.service - Time & Date Service.
Oct 08 15:15:24 server.domain.example systemd[1]: Starting packagekit.service - PackageKit Daemon...
Oct 08 15:15:24 server.domain.example PackageKit[1260]: daemon start
Oct 08 15:15:24 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=packagekit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:24 server.domain.example systemd[1]: Started packagekit.service - PackageKit Daemon.
Oct 08 15:15:24 server.domain.example systemd[1]: Starting realmd.service - Realm and Domain Configuration...
Oct 08 15:15:24 server.domain.example realmd[1265]: Loaded settings from: /usr/lib/realmd/realmd-defaults.conf /usr/lib/realmd/realmd-distro.conf
Oct 08 15:15:24 server.domain.example realmd[1265]: holding daemon: startup
Oct 08 15:15:24 server.domain.example realmd[1265]: starting service
Oct 08 15:15:24 server.domain.example realmd[1265]: GLib-GIO: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
Oct 08 15:15:24 server.domain.example realmd[1265]: connected to bus
Oct 08 15:15:24 server.domain.example realmd[1265]: GLib-GIO: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
Oct 08 15:15:24 server.domain.example realmd[1265]: released daemon: startup
Oct 08 15:15:24 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=realmd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:24 server.domain.example systemd[1]: Started realmd.service - Realm and Domain Configuration.
Oct 08 15:15:24 server.domain.example realmd[1265]: claimed name on bus: org.freedesktop.realmd
Oct 08 15:15:24 server.domain.example realmd[1265]: client using service: :1.40
Oct 08 15:15:24 server.domain.example realmd[1265]: holding daemon: :1.40
Oct 08 15:15:25 server.domain.example PackageKit[1260]: resolve transaction /164_abaeddcd from uid 1179001106 finished with success after 364ms
Oct 08 15:15:25 server.domain.example PackageKit[1260]: get-updates transaction /165_ecbbebcd from uid 1179001106 finished with success after 637ms
Oct 08 15:15:26 server.domain.example PackageKit[1260]: get-update-detail transaction /167_bcbbaaba from uid 1179001106 finished with success after 230ms
Oct 08 15:15:27 server.domain.example /usr/bin/cockpit-bridge[1237]: Exception in callback _Transport._read_ready()
handle: <Handle _Transport._read_ready()>
Traceback (most recent call last):
File "/usr/lib64/python3.12/asyncio/events.py", line 88, in _run
self._context.run(self._callback, *self._args)
File "/usr/lib/python3.12/site-packages/cockpit/transports.py", line 110, in _read_ready
self._protocol.data_received(data)
File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 184, in data_received
result = self.consume_one_frame(self.buffer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 134, in consume_one_frame
self.frame_received(data[start:end])
File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 88, in frame_received
self.control_received(data)
File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 98, in control_received
self.channel_control_received(channel, command, message)
File "/usr/lib/python3.12/site-packages/cockpit/router.py", line 219, in channel_control_received
endpoint.do_channel_control(channel, command, message)
File "/usr/lib/python3.12/site-packages/cockpit/channel.py", line 141, in do_channel_control
self.do_control(command, message)
File "/usr/lib/python3.12/site-packages/cockpit/channel.py", line 119, in do_control
self.do_open(message)
File "/usr/lib/python3.12/site-packages/cockpit/channels/dbus.py", line 248, in do_open
self.bus.attach_event(None, 0)
File "/usr/lib/python3.12/site-packages/cockpit/_vendor/systemd_ctypes/librarywrapper.py", line 194, in <lambda>
setattr(cls, name, lambda *args: func(*args))
^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/cockpit/_vendor/systemd_ctypes/librarywrapper.py", line 73, in errcheck
raise OSError(-result, f"{func.__name__}: {os.strerror(-result)}")
OSError: [Errno 22] sd_bus_attach_event: Invalid argument
Oct 08 15:15:27 server.domain.example python3[1237]: detected unhandled Python exception in '/usr/bin/cockpit-bridge'
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: Traceback (most recent call last):
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/bin/cockpit-bridge", line 8, in <module>
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: sys.exit(main())
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: ^^^^^^
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/bridge.py", line 311, in main
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: run_async(run(args), debug=args.debug)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/_vendor/systemd_ctypes/event.py", line 135, in run_async
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: asyncio.run(main, debug=debug)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib64/python3.12/asyncio/runners.py", line 194, in run
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: return runner.run(main)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: ^^^^^^^^^^^^^^^^
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib64/python3.12/asyncio/runners.py", line 118, in run
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: return self._loop.run_until_complete(task)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib64/python3.12/asyncio/base_events.py", line 685, in run_until_complete
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: return future.result()
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: ^^^^^^^^^^^^^^^
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/bridge.py", line 178, in run
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: await router.communicate()
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/router.py", line 258, in communicate
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: await self._communication_done
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 184, in data_received
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: result = self.consume_one_frame(self.buffer)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 134, in consume_one_frame
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: self.frame_received(data[start:end])
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 88, in frame_received
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: self.control_received(data)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/protocol.py", line 98, in control_received
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: self.channel_control_received(channel, command, message)
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: File "/usr/lib/python3.12/site-packages/cockpit/router.py", line 200, in channel_control_received
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: raise CockpitProtocolError('channel is already open')
Oct 08 15:15:27 server.domain.example cockpit-ws[1237]: cockpit.protocol.CockpitProtocolError: channel is already open
Oct 08 15:15:27 server.domain.example audit[1280]: AVC avc: denied { nnp_transition } for pid=1280 comm="abrt-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_handle_event_t:s0-s0:c0.c1023 tclass=process2 permissive=0
Oct 08 15:15:27 server.domain.example audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 newcontext=system_u:system_r:abrt_handle_event_t:s0-s0:c0.c1023
Oct 08 15:15:27 server.domain.example realmd[1265]: client gone away: :1.40
Oct 08 15:15:27 server.domain.example realmd[1265]: released daemon: :1.40
Oct 08 15:15:27 server.domain.example audit[1224]: CRED_DISP pid=1224 uid=0 auid=1179001106 ses=3 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:27 server.domain.example cockpit-session[1224]: pam_unix(cockpit:session): session closed for user admin
Oct 08 15:15:27 server.domain.example audit[1224]: USER_END pid=1224 uid=0 auid=1179001106 ses=3 subj=system_u:system_r:cockpit_session_t:s0 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_unix,pam_sss,pam_umask,pam_lastlog acct="admin" exe="/usr/libexec/cockpit-session" hostname=::ffff:192.168.41.152 addr=::ffff:192.168.41.152 terminal=? res=success'
Oct 08 15:15:27 server.domain.example abrt-server[1279]: Deleting problem directory Python3-2024-10-08-15:15:27-1237 (dup of Python3-2024-10-06-22:31:51-1946)
Oct 08 15:15:27 server.domain.example audit[1282]: AVC avc: denied { nnp_transition } for pid=1282 comm="abrt-server" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_handle_event_t:s0-s0:c0.c1023 tclass=process2 permissive=0
Oct 08 15:15:27 server.domain.example audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 newcontext=system_u:system_r:abrt_handle_event_t:s0-s0:c0.c1023
Oct 08 15:15:27 server.domain.example systemd[1]: Created slice system-dbus\x2d:1.3\x2dorg.freedesktop.problems.slice - Slice /system/dbus-:1.3-org.freedesktop.problems.
Oct 08 15:15:27 server.domain.example systemd[1]: Started dbus-:1.3-org.freedesktop.problems@0.service.
Oct 08 15:15:27 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.freedesktop.problems@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:27 server.domain.example abrt-notification[1291]: Process 1946 (cockpit-bridge) of user 1179001106 encountered an uncaught cockpit.protocol.CockpitProtocolError exception
Oct 08 15:15:29 server.domain.example systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Oct 08 15:15:29 server.domain.example systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Oct 08 15:15:29 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:30 server.domain.example audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:30 server.domain.example systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1.service.
Oct 08 15:15:30 server.domain.example setroubleshoot[1295]: SELinux is preventing abrt-server from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 6b89c26b-0663-4874-b2e4-b328187d4cb8
Oct 08 15:15:30 server.domain.example setroubleshoot[1295]: SELinux is preventing abrt-server from using the nnp_transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-server should be allowed nnp_transition access on processes labeled abrt_handle_event_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-server' --raw | audit2allow -M my-abrtserver
# semodule -X 300 -i my-abrtserver.pp
Oct 08 15:15:30 server.domain.example setroubleshoot[1295]: SELinux is preventing abrt-server from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 6b89c26b-0663-4874-b2e4-b328187d4cb8
Oct 08 15:15:30 server.domain.example setroubleshoot[1295]: SELinux is preventing abrt-server from using the nnp_transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that abrt-server should be allowed nnp_transition access on processes labeled abrt_handle_event_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'abrt-server' --raw | audit2allow -M my-abrtserver
# semodule -X 300 -i my-abrtserver.pp
Oct 08 15:15:40 server.domain.example audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 08 15:15:40 server.domain.example systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1.service: Deactivated successfully.
Oct 08 15:15:40 server.domain.example systemd[1]: setroubleshootd.service: Deactivated successfully.
Oct 08 15:15:40 server.domain.example audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
14385 seems to have had a similar problem, however based on the logs the source of the problem seems to be different. The suggested solution in this issue also does not solve the problem.
Jan-Bulthuis
commented
4 days ago
Explain what happens
I have set up a Fedora server VM to join AD in order to manage authentication and authorization using SSSD. As a small QoL improvement it would be nice to set the default domain suffix in SSSD, however this causes connections made to the WebUI with the domain excluded to close after requesting administrative access.
Problem can be reproduced as follows:
realm join/etc/sssd/sssd.confto add the linedefault_domain_suffix = domain.exampleuserinstead ofuser@domain.example)When logging in while including the domain, everything works perfectly.
The first difference in the logs indicative of a problem seems to be the
cockpit-session[1224]: pam_systemd(cockpit:session): Failed to get user record: No such processline with afterwards the python exception thrown bycockpit-bridge.Due to the issue only ocurring when the default domain suffix is implicitly used, I do not believe that the issue is caused by anything specific to Active Directory. Although I have little experience with alternatives such as FreeIPA, I would be willing to set up a FreeIPA server to test if the issue persists, if that seems worthwhile in debugging the issue.
Version of Cockpit
~314~ 323 (problem persists after updating)
Where is the problem in Cockpit?
Accounts
Server operating system
Fedora
Server operating system version
40
What browsers are you using?
Firefox, Chrome
System log