Re: [Freeipa-users] Trying to use the CLI logs me out
# script /tmp/out-script Script started, file is /tmp/out-script # ipa help Script done, file is /tmp/out-script # cat /tmp/out-script Script started on Wed 26 Feb 2014 07:18:07 AM EST # ipa help Script done on Wed 26 Feb 2014 07:18:14 AM EST # So then I tried it using script's -c option to see if that would make a difference, kind of like strace did: #script -c 'ipa help' /tmp/out-script2 Script started, file is /tmp/out-script2 Usage: ipa [global-options] COMMAND {command-options] Manage an IPA domain Options: : : See ipa COMMAND --help for more information on a specific command. Script done, file is /tmp/out-script2 # cat /tmp/out-script2 Script started on Wed 26 Feb 2014 07:20:27 AM EST Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: : : See ipa COMMAND --help for more information on a specific command. Script done on Wed 26 Feb 2014 07:20:28 AM EST # It /looks/ like something is behaving differently when input comes from a tty vice when it doesn't. For grins, I did the same thing using ipa host-find zw129.damascusgrp.com and got basically the same result -- an empty log first, then successful completion (including expected results) using the -c option. Bret On 02/25/2014 08:32 PM, Bret Wortman wrote: I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? I think he said it fails with a simple ipa help, which eliminates a whole lot of the work we do because it does no networking in that case. Maybe running inside a typescript will show something like weird characters. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittendenrcrit...@redhat.com wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 unfinished ... 4237 ... close resumed ) = 0 4229 ... mmap resumed ) = 0x7f936aad2000 4229 read(13, unfinished ... 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve(/bin/keyctl, [keyctl, padd, user, ipa_session_cookie:ad...@damascusgrp.com, @s], [/* 27 vars */] unfinished ... Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature
Re: [Freeipa-users] local root can su to any IPA user
Would it not be possible for root to disable selinux enforcement? A user could maybe even use a livecd if root couldn't be gained directly. I'm looking at joining workstations to an idm realm, but some users will need sudo permissions on their machines. Is there any documentation on best practices here? Has there been any further discussion on the best way to approach this problem? Thanks, *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Fri, Nov 29, 2013 at 9:41 AM, Martin Kosek mko...@redhat.com wrote: On 11/29/2013 03:17 PM, Jakub Hrozek wrote: On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default. Fred Ah, in that case I'm not sure if there's an easy solution, at least I don't know any off hand. I think Alexander is right that SELinux would be a good choice. Right. Root could uncomment the pam_rootok.so line anyway if he wanted to access other user's account again. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On 02/26/2014 07:25 AM, Bret Wortman wrote: # script /tmp/out-script Script started, file is /tmp/out-script # ipa help Script done, file is /tmp/out-script # cat /tmp/out-script Script started on Wed 26 Feb 2014 07:18:07 AM EST # ipa help Script done on Wed 26 Feb 2014 07:18:14 AM EST # So then I tried it using script's -c option to see if that would make a difference, kind of like strace did: #script -c 'ipa help' /tmp/out-script2 Script started, file is /tmp/out-script2 Usage: ipa [global-options] COMMAND {command-options] Manage an IPA domain Options: : : See ipa COMMAND --help for more information on a specific command. Script done, file is /tmp/out-script2 # cat /tmp/out-script2 Script started on Wed 26 Feb 2014 07:20:27 AM EST Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: : : These colons... Where do they come from. Can it be that something here is interpreted in strange way? Can be some kind of weird new line conversion in the output that cause the shell to go south? Any strange settings in ENV defining terminal settings? Can you do any python based output? See ipa COMMAND --help for more information on a specific command. Script done on Wed 26 Feb 2014 07:20:28 AM EST # It /looks/ like something is behaving differently when input comes from a tty vice when it doesn't. For grins, I did the same thing using ipa host-find zw129.damascusgrp.com and got basically the same result -- an empty log first, then successful completion (including expected results) using the -c option. Bret On 02/25/2014 08:32 PM, Bret Wortman wrote: I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittendenrcrit...@redhat.com wrote: Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? I think he said it fails with a simple ipa help, which eliminates a whole lot of the work we do because it does no networking in that case. Maybe running inside a typescript will show something like weird characters. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittendenrcrit...@redhat.com wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0unfinished ... 4237... close resumed ) = 0 4229... mmap resumed ) = 0x7f936aad2000 4229 read(13,unfinished ... 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve(/bin/keyctl, [keyctl, padd, user, ipa_session_cookie:ad...@damascusgrp.com, @s], [/* 27 vars */] unfinished ... Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users