-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/25/2013 10:15 AM, Jakub Hrozek wrote:
> On Sat, Feb 23, 2013 at 10:40:03PM +0000, Dale Macartney wrote:
>>
>
> On 02/23/2013 10:36 PM, Rob Crittenden wrote:
> >>> Dale Macartney wrote:
> >>>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> Even folks
> >>>>
> >>>> I've verified this both in a kickstart and via manual install to
verify
> >>>> any user error on my part.
> >>>>
> >>>> I have a clean installation of RHEL 6.4 for an IPA domain of
example.com
> >>>>
> >>>> I also have several clients which are also clean installs of rhel 6.4
> >>>> and although I can see ipa users via getent and even acquire a tgt's
> >>>> successfully, I am unable to login with any ipa user on any ipa
member
> >>>> server.
> >>>>
> >>>> I see the same results for any type of login attempt, e.g. gnome
desktop
> >>>> or ssh
> >>>>
> >>>> My client installation is done by this command.
> >>>>
> >>>> ipa-client-install -U -p admin -w redhat123 --mkhomedir
> --enable-dns-updates
> >>>>
> >>>> IPA client version 3.0.0-25
> >>>> SSSD version 1.9.2-82
> >>>>
> >>>>
> >>>> Logs from client as as follows.
> >>>>
> >>>> ==> /var/log/secure <==
> >>>> Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
> >>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> >>>> rhost=10.0.1.254 user=admin
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
User info
> >>>> message: Your password will expire in 89 day(s).
>
> > FTR, this is a known bug that will be fixed in an asynchronous errata
> > Very Soon Now.
>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
> >>>> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> >>>> rhost=10.0.1.254 user=admin
> >>>>
> >>>> ==> /var/log/btmp <==
> >>>> s ssh:nottyadmin10.0.1.254@>)Q
> >>>> ?
> >>>> ==> /var/log/secure <==
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account):
Access
> >>>> denied for user admin: 4 (System error)
>
> > What state is your SELinux in? Permissive/Enforcing/Disabled ?
Another fail on my part. Works fine in permissive mode.

AVC denials listed below..

type=AVC msg=audit(1361788146.020:28315): avc:  denied  { read } for 
pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28315): avc:  denied  { open } for 
pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28316): avc:  denied  { getattr } for 
pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { read } for 
pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { open } for 
pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28319): avc:  denied  { getattr } for 
pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
ino=392854 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { add_name }
for  pid=1380 comm="sssd_pam" name="adminoTfIUQ"
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { create } for 
pid=1380 comm="sssd_pam" name="adminoTfIUQ"
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { remove_name }
for  pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { rename } for 
pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { unlink } for 
pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for
admin from
> >>>> 10.0.1.254 port 55554 ssh2
> >>>> Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied
for user
> >>>> admin by PAM account configuration
> >>>>
> >>>> ==> /var/log/Xorg.0.log <==
> >>>> [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
> >>>> from local host ( uid=42 gid=42 pid=1958 )
> >>>> Auth name: MIT-MAGIC-COOKIE-1 ID: 284
> >>>> [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17
disconnected
> >>>>
> >>>> ==> /var/log/messages <==
> >>>> Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
> >>>> stratum 5
> >>>> Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
> >>>> stratum 11
> >>>>
> >>>>
> >>>> interactive shell output as follows
> >>>>
> >>>> [mac@rhodey ~]$ ssh admin@10.0.1.102
> >>>> admin@10.0.1.102's password:
> >>>> Your password will expire in 89 day(s).
> >>>> Connection closed by 10.0.1.102
> >>>> [mac@rhodey ~]$
> >>>>
> >>>>
> >>>> Am I doing something rather trivially wrong or is there something
fishy
> >>>> going on here?
> >>>>
> >>>> Thanks in advance.
> >>>
> >>> I'd check your HBAC configuration.
> >>>
> >>> rob
> >>>
> That is actually the very first thing I did. As it is a 100% clean
> installation of IPA, plus the addition of one user and one IPA replica.
>
> all users are granted access to all hosts.
>
> [root@ds01 ~]# ipa hbacrule-find
> -------------------
> 1 HBAC rule matched
> -------------------
> Rule name: allow_all
> User category: all
> Host category: all
> Source host category: all
> Service category: all
> Description: Allow all users to access any host from any host
> Enabled: TRUE
> ----------------------------
> Number of entries returned 1
> ----------------------------
> [root@ds01 ~]#
>
>
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKz1MAAoJEAJsWS61tB+q5VoP/3Jre49XLeb00rUvfri+Ud9j
c9GmrzAHH66Bckp2y/htaD23tnFraD94VSjwg485iCosqzuYDAd3U/+LXP3rjC92
Xt5rMBRJ3XAL7O32c9Z8FKPAeTCM+fR/UyjkKxGJaLaGeASnAZjg2Xek28z+jUuT
4+ITBMZWDdnhf34wpFeHL8FrhIq+oLYo3j5GKAH7YZn/XJnrs4gNH/pLBlnuegJQ
ukiouadZOQRo2AZb/jxW4LoUWl3pCorQah1dPyL0PaOuhSYQ4v29NdIdsDBLC1nK
U8V1TU+W59tyBfiMNwFYhxJ0IOvWYmIQY+oZNNzyo5+/tlqUlyGqpsgXmyoo7h1R
WoInBit4JotJyC/ynVraJBUjSiHcJsiTSBCdfnvzRPHiJhaldDfe7+iIDATBweMg
5e3nskIjGyqPTAWkUiFcp1Xv7ch2RKEq51dg4qhf7OAEwhOX7HkudIY50jD51CXW
X08vBqHzH3ViVBhsehZRzE73+B83RyaYOQaULgU8/GxAAH9r79/WFCA1H2Fl7fLE
PYTDlebyyRM2qlDxu2AXiwAo7DqdT9OMShmjiMcSoZAnSSdUfmCAwOgV9Yg5YKy9
3e3GYWtyhOKGmVagO18/WR5ZkR9Ei+Cb5Bs44oyfrY17l2PRiDLZj4Doeu4nhbOu
3ugSBDfo6+3DziJjP1sT
=EXH/
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to