On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
> I see several failures related to the SELinux processing:
> -----------
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] 
> [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
> (0x0100): Backend returned: (0, 0, Success) [Success]
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
> (0x0100): Sending result [4][example.net]
> (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
> (0x0100): Sent result [4][example.net]
> -----------
> "4" is an internal error code, it would manifest in your /var/log/secure
> as "System Error".

No system errors are logged to /var/log/secure:

        Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session 
closed for user root
        Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access 
denied for user `janfrode' from `login2.example.net'
        Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened 
for user janfrode by (uid=0)
        Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for 
user root by janfrode(uid=15019)

> What state is SELinux on the client machine? Are there any AVC denials?

Selinux is in enforcing mode. No denials logged.

When upgrading to v2.2, and also when initializing a v2.2 replica we got
the following error:

        Applying LDAP updates
        ipa         : ERROR    Update failed: Object class violation: attribute 
"ipaSELinuxUserMapOrder" not allowed

so I suspect there are some problem with our LDAP schema. That might be
related to the "No SELinux user maps found" message.. I have a support 
ticket open on this ipaSELinuxUserMapOrder-schema problem (00800931),
but not much progress there yet..


Freeipa-users mailing list

Reply via email to