Jan-Frode Myklebust wrote:
On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:

I see several failures related to the SELinux processing:
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] 
(0x0400): No SELinux user maps found!
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
(0x0100): Backend returned: (0, 0, Success) [Success]
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
(0x0100): Sending result [4][example.net]
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [be_pam_handler_callback] 
(0x0100): Sent result [4][example.net]

"4" is an internal error code, it would manifest in your /var/log/secure
as "System Error".

No system errors are logged to /var/log/secure:

        Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session 
closed for user root
        Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access 
denied for user `janfrode' from `login2.example.net'
        Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened 
for user janfrode by (uid=0)
        Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for 
user root by janfrode(uid=15019)

What state is SELinux on the client machine? Are there any AVC denials?

Selinux is in enforcing mode. No denials logged.

When upgrading to v2.2, and also when initializing a v2.2 replica we got
the following error:

        Applying LDAP updates
        ipa         : ERROR    Update failed: Object class violation: attribute 
"ipaSELinuxUserMapOrder" not allowed

so I suspect there are some problem with our LDAP schema. That might be
related to the "No SELinux user maps found" message.. I have a support
ticket open on this ipaSELinuxUserMapOrder-schema problem (00800931),
but not much progress there yet..

Upgrading to 2.2 from what version?

If there are no maps it may just mean that there are no maps, which is fine. SELinux user maps didn't work well in 6.3 anyway.

You might try: ipa-ldap-updater --ldapi /usr/share/ipa/updates/10-selinuxusermap.update


Freeipa-users mailing list

Reply via email to