On Thu, Mar 21, 2013 at 09:57:50PM +0100, Jan-Frode Myklebust wrote:
> On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
> > 
> > I see several failures related to the SELinux processing:
> > -----------
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] 
> > [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] 
> > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) 
> > [Success]
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] 
> > [be_pam_handler_callback] (0x0100): Sending result [4][example.net]
> > (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] 
> > [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
> > -----------
> > 
> > "4" is an internal error code, it would manifest in your /var/log/secure
> > as "System Error".
> 
> No system errors are logged to /var/log/secure:
> 
>       Mar 21 11:30:01 ipa1 CROND[1161]: pam_unix(crond:session): session 
> closed for user root
>       Mar 21 11:33:27 ipa1 sshd[1204]: pam_access(sshd:account): access 
> denied for user `janfrode' from `login2.example.net'
>       Mar 21 11:33:33 ipa1 sshd[1216]: pam_unix(sshd:session): session opened 
> for user janfrode by (uid=0)
>       Mar 21 11:33:39 ipa1 su: pam_unix(su-l:session): session opened for 
> user root by janfrode(uid=15019)
> 
> > What state is SELinux on the client machine? Are there any AVC denials?
> 
> Selinux is in enforcing mode. No denials logged.
> 
> When upgrading to v2.2, and also when initializing a v2.2 replica we got
> the following error:
> 
>       Applying LDAP updates
>       ipa         : ERROR    Update failed: Object class violation: attribute 
> "ipaSELinuxUserMapOrder" not allowed

Then maybe SSSD is tripping over the absence of the SELinux map order.
At least that's the way I read the SSSD code, it relies on the presence
of the ipaSELinuxUserMapOrder attribute.

What does:
$ ipa config-show --all --raw | grep -i selinux
say?

Does the problem go away if you set:
selinux_provider = none

In the config file in the domain section?

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to