I finally got it to work.  What i did was purge the freeipa-client and the
sssd packages.  after they were purged i installed them fresh.  after
running the install script and pam-config-auth, rebooted and it logged in
perfectly.   all i can figure is one of the installation scripts between
going from 12.04 to 12.10 to 13.04 reset the permissions on something deep
in the bowels of ubuntu and hosed it.  I guess i file this one under
shrug shoulders and go ok then..  Thanks


On Thu, May 16, 2013 at 5:25 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Wed, May 15, 2013 at 12:43:02PM -0400, Willie Slepecki wrote:
> > I have been debugging for a few days trying to figure out why my 13.04
> > upgraded machine will not log in to my freeipa server. the only thing i
> > find odd is since i updated i began getting these in my sssd.log file
> >
> > (Tue May 14 17:59:08 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain
> > onuspride.com --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:08 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain
> > onuspride.com --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_nss
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13
> > (Tue May 14 17:59:10 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain
> > onuspride.com --debug-to-files, reason: Permission denied
> > 2013) [sssd] [service_startup_handler] (0x0010): Could not exec
> > /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --debug-to-files, reason:
> > Permission denied
> > Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_nss
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_ssh
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_pac
> > --debug-to-files, reason: Permission denied
> > ((Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_ssh
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_pam
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:13 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_pac
> > --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:14 2013) [sssd] [service_startup_handler] (0x0010):
> > Could not exec /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain
> > onuspride.com --debug-to-files, reason: Permission denied
> > (Tue May 14 17:59:14 2013) [sssd] [mt_svc_exit_handler] (0x0010):
> > Process [onuspride.com], definitely stopped!
> >
> > i looked at the executables and they are set to 700 with owner of root.
> > that should be right. when i try to run the same commandline as root they
> > execute correctly. i assume at least, i don't get any errors or messages.
> >
> > anyone have an idea what these are? i suspect these errors are the
> reason i
> > can't login to the ipa server. this whole configuration worked just fine
> at
> > 12.04, but everything stopped when i upgraded the machine to 12.04 ->
> 12.10
> > -> 13.04
>
> Yes, these errors are definitely the culprit. These subprocesses are the
> actual worker processes of the sssd, if they don't execute, the SSSD
> doesn't work.
>
> Could something like SELinux or AppArmor be in the way?
>
> btw the Ubuntu maintainer checked that with default packaging the
> permissions are 0755 (same as on Fedora), can you check if the package
> was modified post-install by some hardening script perhaps? 0700 should
> be working as well, though..
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
You want it fast, cheap, or right.  Pick two!!
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to