Hello,

It worked perfecty.
I am wondering why this just popped up now with this patch update. Almost
none of our containers hosts (and by inherence the containers) have SELINUX
enabled for they are primary for testing, and they are on a secure network.
With this version of ipa-client, the host has to have SE enabled for the
container to inherit the definitions and policies of it?

Again thanks for your help!
Nuno


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: terça-feira, 14 de fevereiro de 2017 16:02
To: Nuno Higgs
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container

On ti, 14 helmi 2017, Nuno Higgs wrote:
>Hello Alexander,
>
>Here are the logs. I have regenerated the error, because at the first 
>time I hadn't the debug enabled on the domain part of the sssd.conf.
>After enabling the only thing reported on the sssd_domain.log on the 
>time of the failure is:
>
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[hbac_eval_user_element]
>(0x1000): Added group [openvpn_home_users] for user [nuno] (Tue Feb 14 
>15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): [<
>hbac_evaluate()
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100):
>ALLOWED by rule [perimetro_ssh_allow].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100):
>hbac_evaluate() >]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[ipa_hbac_evaluate_rules]
>(0x0080): Access granted by HBAC rule [perimetro_ssh_allow] (Tue Feb 14 
>15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP Request 
>[PAM Account #4]: Request handler finished [0]: Success (Tue Feb 14 
>15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request 
>[PAM Account #4]: Receiving request data.
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor]
>(0x0400): DP Request [PAM Account #4]: Request removed.
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor]
>(0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [dp_attach_req] (0x0400): DP Request [PAM SELinux 
>#5]: New request. Flags [0000].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400):
>Number of active DP request: 1
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_get_selinux_send]
>(0x0400): Retrieving SELinux user mapping (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x0400): calling ldap_search_ext with
>[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=net,dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaMigrationEnabled] (Tue Feb 14 15:24:52 
>2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Tue Feb 14 
>15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Tue Feb 14 
>15:24:52 2017) [sssd[be[net.xpto]]] [sdap_parse_entry] (0x1000):
>OriginalDN: [cn=ipaConfig,cn=etc,dc=net,dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no 
>errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[ipa_selinux_get_maps_next]
>(0x0400): Trying to fetch SELinux maps with following parameters:
>[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux
>,dc=n
>et,dc=xpto]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_ext_step]
>(0x0400): calling ldap_search_ext with
>[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc
>=net,
>dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [objectClass] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [cn]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [memberUser] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [memberHost] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [seeAlso]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] 
>[sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUser] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaEnabledFlag] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [userCategory] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [hostCategory] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaUniqueID] (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [sdap_get_generic_op_finished] (0x0400): Search 
>result: Success(0), no errmsg set (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [ipa_selinux_get_maps_done]
>(0x0400): No SELinux user maps found!
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sysdb_delete_entry]
>(0x0080): sysdb_delete_ts_entry failed: 0 (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [write_pipe_handler]
>(0x0400): All data has been sent!
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [read_pipe_handler]
>(0x0400): EOF received, client finished (Tue Feb 14 15:24:52 2017) 
>[sssd[be[net.xpto]]] [selinux_child_done]
>(0x0020): selinux_child_parse_response failed: [22][Invalid argument]
^^ this is the issue. There was a change in behavior in libselinux that
caused the library to fail every time it is run in an environment where it
cannot identify whether SELinux is enabled or not.

You can disable SELinux processing in your sssd.conf:

[domain/...]
selinux_provider = none

--
/ Alexander Bokovoy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to