On Срд, 10 сту 2024, Dmitry Krasov via FreeIPA-users wrote:
HBAC allow_all enabled. I think everything default, only sudo rule from video.
I did debug level 3...
Please use debug level 9 and provide full logs somewhere.
You can send the link to logs/logs themselves off list, I'll continue in
this thread with findings.
sssd_dom.loc.log:
(2024-01-10 16:14:08): [be[dom.loc]] [sdap_dyndns_dns_addrs_done] (0x0040):
[RID#62] Could not receive list of current addresses [5]: Input/output error
(2024-01-10 16:14:08): [be[dom.loc]] [ipa_dyndns_sdap_update_done] (0x0040):
[RID#62] Dynamic DNS update failed [5]: Input/output error
(2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task
[Dyndns update]: failed with [5]: Input/output error
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2024-01-10 16:14:08): [be[dom.loc]] [sdap_id_op_destroy] (0x4000):
[RID#62] releasing operation connection
* (2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62]
Task [Dyndns update]: failed with [5]: Input/output error
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2024-01-10 16:14:09): [be[dom.loc]] [ipa_id_get_account_info_orig_done]
(0x0080): [RID#69] Object not found, ending request
(2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080):
[RID#94] Access granted by HBAC rule [allow_all]
(2024-01-10 16:21:58): [be[dom.loc]] [ipa_deskprofile_get_config_done]
(0x0080): [RID#96] Server doesn't support Desktop Profile.
(2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080):
[RID#97] Access granted by HBAC rule [allow_all]
-------------------------------------
sssd_pam.log:
(2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): SIGTERM: killing
children
(2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): Shutting down (status =
0)(2024-01-10 16:28:24): [pam] [server_setup] (0x1f7c0): Starting with deb>
(2024-01-10 16:28:25): [pam] [cache_req_common_process_dp_reply] (0x0040):
[CID#1] CR #1: Could not get account info [1432158212]: SSSD is offline
-------------------------------------
journalctl -xe when I trying to close forticlient (doing privileged action) and
close auth window:
16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd"
name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.433:219): apparmor="ALLOWED" operation="open"
class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd"
name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.497:220): apparmor="ALLOWED" operation="open"
class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
----auth windows closed:
16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of
unix-session:4 FAILED to authenticate to gain authorization for action
org.fortinet.fortitray.quit for unix-process:3948:18923 [sh -c pkexec /bin/bash
/opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop)
16:33:38 desktop22043.dom.loc pkexec[3949]: desktop: Error executing command as
another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/desktop]
[COMMAND=/bin/bash /opt/forticlient/stop-forticlient.sh]
16:33:38 desktop22043.dom.loc Fortitray.desktop[3949]: Error executing command
as another user: Request dismissed
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue