We have a network that relies on kerberos, 389-ds, bind and nfs4. I am currently testing out the freeipa version 2 to see if we can use it to consolidate the various configuration into one interface. For the most part it works great apart from the obvious area where it has not been completed. However there are somethings that I have noticed.
1.) The DNS logging always logs database error every time it access the ldap. even though the query returns okay and the dns reply is fine. here is an excerpt of the log named.run 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving ' www.mailscanner.tv/A' (in 'mailscanner.tv'?) after reducing the advertised EDNS UDP packet size to 512 octets 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad, idnsname= uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' 24-Oct-2010 10:34:41.143 database: error: entry count: 1 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad, idnsname= uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad, idnsname= uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' 24-Oct-2010 10:39:43.586 database: error: entry count: 1 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad, idnsname= uzdomain.ca,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)' here is our logging configuration // ******************* // Logging definitions // ******************* // Logging logging { channel "named_log" { file "data/log/named.run" versions 5 size 4m; severity dynamic; print-category yes; print-severity yes; print-time yes; }; channel "security_log" { file "data/log/security.log" versions 5 size 10m; severity dynamic; print-category yes; print-severity yes; print-time yes; }; channel "query_log" { file "data/log/query.log" versions 5 size 50m; #severity dynamic; severity debug; print-category yes; print-severity yes; print-time yes; }; channel "transfer_log" { file "data/log/transfer.log" versions 5 size 10m; severity dynamic; print-category yes; print-severity yes; }; category "default" { "named_log"; "default_syslog"; "default_debug"; }; category "general" { "named_log"; }; category "queries" { "query_log"; }; category "lame-servers" { null; }; category "security" { "security_log"; }; category "config" { "named_log"; }; category "resolver" { "query_log"; }; category "xfer-in" { "transfer_log"; }; category "xfer-out" { "transfer_log"; }; category "notify" { "transfer_log"; }; category "client" { "query_log"; }; category "network" { "named_log"; }; category "update" { "transfer_log"; }; category "dnssec" { "security_log"; }; category "dispatch" { "security_log"; }; }; This error message keeps triggering our monitoring systems. 2.) I currently have only one ipa-client; and certmonger keeps getting seliux AVC denials Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2 Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2 Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2 Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2 Summary: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. Detailed Description: SELinux denied access requested by certmonger. It is not expected that this access is required by certmonger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:certmonger_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/libexec/certmonger/ipa-submit [ file ] Source certmonger Source Path /usr/sbin/certmonger Port <Unknown> Host ulasi.uzdomain.ca Source RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13 Target RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13 Policy RPM selinux-policy-3.7.19-65.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name ulasi.uzdomain.ca Platform Linux ulasi.uzdomain.ca2.6.34.7-61.fc13.i686.PAE #1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686 Alert Count 1646 First Seen Sat Oct 23 15:48:48 2010 Last Seen Sun Oct 24 10:59:52 2010 Local ID 8db766a3-6100-4be5-aec6-2a3a713290e2 Line Numbers Raw Audit Messages node=ulasi.uzdomain.ca type=AVC msg=audit(1287932392.282:21690): avc: denied { execute } for pid=3472 comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file node=ulasi.uzdomain.ca type=SYSCALL msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null) I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ] because of the problem I updated to the nightly build certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues. These are the selinux rpms selinux-policy-targeted-3.7.19-65.fc13.noarch selinux-policy-3.7.19-65.fc13.noarch libselinux-python-2.0.94-2.fc13.i686 libselinux-utils-2.0.94-2.fc13.i686 Thanks Ide
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users