Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

On 18 July 2016 at 18:26, Jakub Hrozek  wrote:

> On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> > Ok, I've just spoken with my colleague that has been involved in the IPA
> > roll out, and he said he thought that override_space wasn't compatible
> with
> > ID overrides?
>
> I haven't tested that to be honest. But just using my knowledge of the
> code as a basis, I would say the two should be compatible, especially
> with 1.14.0 where we decoupled the output from how we store users. But
> again, I haven't tested any of this.
>
> >
> > Either way, since we have a working system we are reticent to make too
> many
> > changes - soon we will have a test system in place and I will be able to
> > check it then?
>
> selinux_provider=none should be an easy workaround if you don't use the
> SELinux labels. I still have an item on my todo list to test this
> locally, I think I will get to that this week.
>


For what it's worth, we implemented the override_space=_ option.

This has failed, of course, because we had a user with an _ in their
username, and sssd went looking for test user instead of test_user, which
caused all kinds of issues.

We have gone back to selinux_provider=none

L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Jakub Hrozek]

On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> Ok, I've just spoken with my colleague that has been involved in the IPA
> roll out, and he said he thought that override_space wasn't compatible with
> ID overrides?

I haven't tested that to be honest. But just using my knowledge of the
code as a basis, I would say the two should be compatible, especially
with 1.14.0 where we decoupled the output from how we store users. But
again, I haven't tested any of this.

> 
> Either way, since we have a working system we are reticent to make too many
> changes - soon we will have a test system in place and I will be able to
> check it then?

selinux_provider=none should be an easy workaround if you don't use the
SELinux labels. I still have an item on my todo list to test this
locally, I think I will get to that this week.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

Ok, I've just spoken with my colleague that has been involved in the IPA
roll out, and he said he thought that override_space wasn't compatible with
ID overrides?

Either way, since we have a working system we are reticent to make too many
changes - soon we will have a test system in place and I will be able to
check it then?

Cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 20:17, Lachlan Musicman  wrote:

> Wont be able to check until Monday morning (Australia's weekend has
> started) but can check, yes.
>
> And the reason I reported to you is because you will have more weight with
> selinux bug tickets than I would.
>
> cheers
> L.
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 15 July 2016 at 18:05, Jakub Hrozek  wrote:
>
>> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote:
>> > On (15/07/16 12:56), Lachlan Musicman wrote:
>> > >This line:
>> > >
>> > >We have SELinux disabled on all of our servers, but we hadn't disabled
>> this
>> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked
>> > >fine.
>> > >
>> > >Should read that we *disabled* selinux.
>> > >
>> > >selinux_provider = none
>> > Could you also try another solution?
>> > put "override_space = _" into "sssd" section in sssd.conf
>> > and restart sssd.
>> >
>> > As a result of this space will be replaced with underscore
>> > and libsemanage should not complain.
>> >
>> > @see man sssd.conf -> override_space
>>
>> This is either a bug in semenage, we should file one and ask the
>> semanage developers if there is a proper way to quote the spaces.
>>
>> But yes, selinux_provider=none would disable this area of code.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

Wont be able to check until Monday morning (Australia's weekend has
started) but can check, yes.

And the reason I reported to you is because you will have more weight with
selinux bug tickets than I would.

cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 18:05, Jakub Hrozek  wrote:

> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote:
> > On (15/07/16 12:56), Lachlan Musicman wrote:
> > >This line:
> > >
> > >We have SELinux disabled on all of our servers, but we hadn't disabled
> this
> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked
> > >fine.
> > >
> > >Should read that we *disabled* selinux.
> > >
> > >selinux_provider = none
> > Could you also try another solution?
> > put "override_space = _" into "sssd" section in sssd.conf
> > and restart sssd.
> >
> > As a result of this space will be replaced with underscore
> > and libsemanage should not complain.
> >
> > @see man sssd.conf -> override_space
>
> This is either a bug in semenage, we should file one and ask the
> semanage developers if there is a proper way to quote the spaces.
>
> But yes, selinux_provider=none would disable this area of code.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lukas Slebodnik]

On (15/07/16 12:56), Lachlan Musicman wrote:
>This line:
>
>We have SELinux disabled on all of our servers, but we hadn't disabled this
>check in sssd.conf. So we enabled it in sssd.conf and everything worked
>fine.
>
>Should read that we *disabled* selinux.
>
>selinux_provider = none
Could you also try another solution?
put "override_space = _" into "sssd" section in sssd.conf
and restart sssd.

As a result of this space will be replaced with underscore
and libsemanage should not complain.

@see man sssd.conf -> override_space

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

This line:

We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.

Should read that we *disabled* selinux.

selinux_provider = none

Cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 11:27, Lachlan Musicman  wrote:

> Hey,
>
> While hunting this sssd/hbac/AD user problem, I noticed in the
> selinux_child.log a lot of errors that look like this:
>
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [get_seuser]
> (0x0020): Cannot query for galaxy
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> context initialized
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [get_seuser]
> (0x0020): Cannot query for simpsonlach...@petermac.org.au
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> context initialized
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [get_seuser]
> (0x0020): Cannot query for madhamshettiwar p...@petermac.org.au
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): expected 

[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

[Lachlan Musicman]

Hey,

While hunting this sssd/hbac/AD user problem, I noticed in the
selinux_child.log a lot of errors that look like this:

(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [get_seuser]
(0x0020): Cannot query for galaxy
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
context initialized
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [get_seuser]
(0x0020): Cannot query for simpsonlach...@petermac.org.au
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
context initialized
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [get_seuser]
(0x0020): Cannot query for madhamshettiwar p...@petermac.org.au
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):



We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.

But it should be noted that this check seems to be failing on a space in
the AD user names.

(I know, spaces in user names is weird, wrong and embarrassing, but it's
not my department. A fantastic example of Technical Debt and why project
planning and testing are best done before implementation.)

cheers
L.
--
The most dangerous