On Monday, November 12, 2012 03:32:33 PM Jakub Hrozek wrote:
> On Sun, Nov 11, 2012 at 04:37:46PM -0600, Anthony Messina wrote:
> > After upgrading to freeipa-{client,server}-2.2.1-1.fc17.x86_64 today, my 
> > clients are no longer able to login via kdm or ssh (and perhaps
> > others).  The >
> > secure log shows the following:
> > 
> >
> > sshd[28922]: pam_sss(sshd:account): Access denied for user amessina: 4
> > (System  error)
> >
> > 
> >
> > Of note, I have always had the HBAC allow_all rule enabled--I've never
> > done  anything with HBAC since I began using IPA.
> >
> > 
> >
> > The problem and resolution seems to be the same as 
> > https://www.redhat.com/archives/freeipa-users/2012-September/msg00016.html
> >
> > 
> >
> > where if I uninstall IPA on the clients, then remove the host on the IPA 
> > server, then reinstall on the client, things work as expected.
> >
> > 
> >
> > I have done this for all but one of the clients, and of course, the IPA 
> > server, which itself is a client.
> >
> > 
> >
> > I have increased sssd debugging and find that when trying to login to the 
> > servers that have not been reinstalled as above, I get the following 
> >
> > significant error in sssd_<domain>.log:
> > 
> >
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [be_pam_handler]
> > (0x0100):  Got request with the following data
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  command: PAM_ACCT_MGMT
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  domain: messinet.com
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  user: amessina
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  service: sshd
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  tty: ssh
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  ruser:
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  rhost: 2001:470:c1dc:7779:d6be:d9ff:fe8d:7c1e
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  authtok type: 0
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  authtok size: 0
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  newauthtok type: 0
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  newauthtok size: 0
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  priv: 1
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [pam_print_data]
> > (0x0100):  cli_pid: 9069
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [sdap_access_send] 
> > (0x0400): Performing access check for user [amessina]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for
> > user  [amessina]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> > [(&(objectClass=ipaHost)(fqdn=ds.messinet.com))]
> > [cn=accounts,dc=messinet,dc=com].
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostName]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] [sdap_process_result] 
> > (0x2000): Trace: sh[0x7f553cd5a500], connected[1], ops[0x7f553cd653a0], 
> > ldap[0x7f553cd56e20]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]] 
> > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
> > set (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]]
> > [sdap_get_generic_ext_done] (0x1000): Total count [0]
> > (Sun Nov 11 15:35:12 2012) [sssd[be[messinet.com]]]
> > [be_pam_handler_callback]  (0x0100): Backend returned: (3, 4, <NULL>)
> > [Internal Error (System error)]>
> > 
> >
> > I also find that when I do a manual ldapsearch for the non-upgraded
> > clients as >
> > follows:
> > 
> >
> > ldapsearch -x -D "cn=directory manager" -W -b
> > cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost)(fqdn=*))" dn
> >
> > 
> >
> > the non-upgraded clients DO NOT appear in the list, but if I do the 
following:
> > 
> >
> > ldapsearch -x -D "cn=directory manager" -W -b
> > cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost))" dn
> >
> > 
> >
> > the non-upgraded clients DO appear in the list.  Somehow the addition of
> > the  fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents
> > them from being displayed.
> >
> > 
> >
> > There were no errors on any of the servers or clients during the upgrade.
> >
> > 
> >
> > Your help is appreciated.  I've tried to get this corrected all day
> > without  success.
> >
> > 
> >
> > Thanks in advance.  -A
> 
> Hi,
> 
> the SSSD depends on the fqdn attribute being present for the access
> control mechanism. Also, the SSSD searches the directory anonymously, so
> in order to get the same results, you should simply search the directory
> with anonymous bind.

Thank you for replying.  I have disabled anonymous access and increased the 
minssf (all prior to the upgrade) and SSSD seemed to be alright:

~]# cat nsslapd-allow-anonymous-access.ldif 
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse

~]# cat nsslapd-localssf.ldif
dn: cn=config
changetype: modify
replace: nsslapd-localssf
nsslapd-localssf: 71

~]# cat nsslapd-minssf-exclude-rootdse.ldif
dn: cn=config
changetype: modify
replace: nsslapd-minssf-exclude-rootdse
nsslapd-minssf-exclude-rootdse: on

~]# cat nsslapd-minssf.ldif
dn: cn=config
changetype: modify
replace: nsslapd-minssf
nsslapd-minssf: 56

~]# cat /etc/sssd/sssd.conf 
[domain/messinet.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = messinet.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ds.messinet.com
chpass_provider = ipa
ipa_server = ds.messinet.com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sudo_search_base = ou=SUDOers,dc=messinet,dc=com

debug_level = 8

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = messinet.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

> Can you check on the server how the host entries look like? 
> 
> For example:
> ipa host-show ds.messinet.com --all --raw
> 
> Is the FQDN attribute present in the directory at all?

Yes it is present.  The entry seems to appear similar to other entries.  I'm 
wondering if for some reason it wasn't indexed (I don't know much about 
indexing), but only the hosts that are re-enrolled after the update are 
displayed with the above search.  I'm thinking this may be related to 
http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=ce11a7c0e22ee8f70e14c43419f20be70176fe8c

Is there a way to re-index the fqdn attribute?

~]# ipa host-show ds.messinet.com --all --raw
  dn: fqdn=ds.messinet.com,cn=computers,cn=accounts,dc=messinet,dc=com
  fqdn: ds.messinet.com
  krbprincipalname: host/ds.messinet....@messinet.com
  ipasshpubkey: ....
  ipasshpubkey: ....
  sshpubkeyfp: ....
  sshpubkeyfp: ....
  has_password: False
  managedby: fqdn=ds.messinet.com,cn=computers,cn=accounts,dc=messinet,dc=com
  has_keytab: True
  cn: ds.messinet.com
  ipauniqueid: fea4af02-ab17-11e1-bb55-d4ae52b94185
  krbextradata: ....
  krblastpwdchange: 20120531115854Z
  krblastsuccessfulauth: 20121112145732Z
  managing: fqdn=ds.messinet.com,cn=computers,cn=accounts,dc=messinet,dc=com    
                                                                                
                                                                             
  objectclass: top                                                              
                                                                                
                                                                             
  objectclass: ipaobject                                                        
                                                                                
                                                                             
  objectclass: nshost                                                           
                                                                                
                                                                             
  objectclass: ipahost                                                          
                                                                                
                                                                             
  objectclass: ipaservice                                                       
                                                                                
                                                                             
  objectclass: pkiuser                                                          
                                                                                
                                                                             
  objectclass: krbprincipalaux                                                  
                                                                                
                                                                             
  objectclass: krbprincipal                                                     
                                                                                
                                                                             
  objectclass: krbticketpolicyaux                                               
                                                                                
                                                                             
  objectclass: ipasshhost                                                       
                                                                                
                                                                             
  objectclass: ipaSshGroupOfPubKeys                                             
                                                                                
                                                                             
  serverhostname: ds  



On another but perhaps related note, client changes to ssh_config and 
sshd_config aren't made unless the host is removed from IPA, then re-enrolled.  
http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=0b33b9fb3791545ab952b46c7443482a52fe6a6c

~]# rpm -q --scripts freeipa-client

yields nothing. 

Again, thanks for helping.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to