Sigbjorn Lie wrote:
On 09/19/2012 11:05 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/19/2012 10:48 PM, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,

I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.

The named daemon does not start now. The error below was logged in
/var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (KDC returned error
string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode
(setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled
selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


 From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
client>
for <unknown server>, Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
client>
for <unknown server>, Cannot create replay cache file
/var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test....@ix.test.com for krbtgt/ix.test....@ix.test.com,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test....@ix.test.com for
krbtgt/ix.test....@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?

Pure guess, but:

restorecon /var/tmp/krbtgt_0

rob
Sorry, that did not help. There seem to be a new error in the messages
file every time I attempt a named restart though. See below for the
latest:

Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
(IX.TEST.COM) does not match tkey-gssapi-credential
(DNS/ipa01.ix.test.com)
Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)

I'd continue to check /var/log/audit/audit.log for AVCs.

rob


OK, I had a quick look before I'm off for today. :)

There's a lot of these messages, denying named access to /var/tmp/DNS_25.



type=AVC msg=audit(1348086955.397:42404): avc:  denied  { getattr } for
pid=11648 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { read write }
for  pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348086955.398:42405): avc:  denied  { open } for
pid=11648 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42438): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.524:42439): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42440): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42441): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42442): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42443): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.525:42444): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42445): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42446): avc:  denied  { getattr } for
pid=12639 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088487.526:42447): avc:  denied  { unlink } for
pid=12639 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.161:42449): avc:  denied  { getattr } for
pid=12667 comm="named" path="/var/tmp/DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.162:42450): avc:  denied  { read write }
for  pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1348088493.162:42450): avc:  denied  { open } for
pid=12667 comm="named" name="DNS_25" dev=dm-2 ino=132140
scontext=unconfined_u:system_r:named_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file



I tried "restorecon /var/tmp/DNS_25", but the attributes looks the same
before and after:

-rw-------. named  named  system_u:object_r:tmp_t:s0       DNS_25

Ok, I'm not sure. Perhaps selinux-policy has an update available too?

You may want to consider temporarily setting selinux to permissive while we sort this out if your system is otherwise unusable.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to