Re: [Freeipa-users] Trying to use the CLI logs me out
# script /tmp/out-script
Script started, file is /tmp/out-script
# ipa help
Script done, file is /tmp/out-script
# cat /tmp/out-script
Script started on Wed 26 Feb 2014 07:18:07 AM EST
# ipa help
Script done on Wed 26 Feb 2014 07:18:14 AM EST
#
So then I tried it using script's -c option to see if that would make
a difference, kind of like strace did:
#script -c 'ipa help' /tmp/out-script2
Script started, file is /tmp/out-script2
Usage: ipa [global-options] COMMAND {command-options]
Manage an IPA domain
Options:
:
:
See ipa COMMAND --help for more information on a specific command.
Script done, file is /tmp/out-script2
# cat /tmp/out-script2
Script started on Wed 26 Feb 2014 07:20:27 AM EST
Usage: ipa [global-options] COMMAND [command-options]
Manage an IPA domain
Options:
:
:
See ipa COMMAND --help for more information on a specific command.
Script done on Wed 26 Feb 2014 07:20:28 AM EST
#
It /looks/ like something is behaving differently when input comes from
a tty vice when it doesn't. For grins, I did the same thing using ipa
host-find zw129.damascusgrp.com and got basically the same result -- an
empty log first, then successful completion (including expected results)
using the -c option.
Bret
On 02/25/2014 08:32 PM, Bret Wortman wrote:
I'll try that. And you're right--we've tried a number of sub commands.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Feb 25, 2014, at 8:05 PM, Rob Crittenden rcrit...@redhat.com wrote:
Dmitri Pal wrote:
On 02/25/2014 07:31 PM, Bret Wortman wrote:
Nope, running with strace lets us use the IPA command again with impunity.
Without it, process termination.
A theory. Your data has some output that is treated as escape sequence
that crushes the shell so your connection is closed.
Do you test it with the same command all the time?
Have you tried other commands?
Can you do a user/group/host add?
Can you try other commands?
I think he said it fails with a simple ipa help, which eliminates a whole lot
of the work we do because it does no networking in that case.
Maybe running inside a typescript will show something like weird characters.
rob
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Feb 25, 2014, at 6:06 PM, Rob Crittendenrcrit...@redhat.com wrote:
Bret Wortman wrote:
I don't know if this will be informative or not, but:
# strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com
--
1 host matched
--
Host name: zw129.damascusgrp.com
:
:
#
I then found this pattern occurring a number of times within the (17564
line) output file:
4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 unfinished ...
4237 ... close resumed ) = 0
4229 ... mmap resumed ) = 0x7f936aad2000
4229 read(13, unfinished ...
4237 dup2(7, 0)= 0
4237 dup2(10, 1) = 1
4237 dup2(12, 2) = 2
4237 close(7) = 0
4237 close(10) = 0
4237 close(12) = 0
4237 close(3) = 0
4237 close(4) = 0
4237 close(5) = 0
4237 close(6) = 0
4237 close(7) = -1 EBADF (Bad file descriptor)
4237 close(8) = -1 EBADF (Bad file descriptor)
4237 close(9) = -1 EBADF (Bad file descriptor)
4237 close(10) = -1 EBADF (Bad file descriptor)
:
: Continues for a thousand entries or so, then
:
4237 close(1022) = -1 EBADF (Bad file descriptor)
4237 close(1023) = -1 EBADF (Bad file descriptor)
4237 execve(/bin/keyctl, [keyctl, padd, user,
ipa_session_cookie:ad...@damascusgrp.com, @s], [/* 27 vars */]
unfinished ...
Just noise while we fork off and run another process, in this case keyctl to
store the session cookie in the kernel keyring.
So running with strace doesn't result in the session logging out?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [Freeipa-users] local root can su to any IPA user
Would it not be possible for root to disable selinux enforcement? A user could maybe even use a livecd if root couldn't be gained directly. I'm looking at joining workstations to an idm realm, but some users will need sudo permissions on their machines. Is there any documentation on best practices here? Has there been any further discussion on the best way to approach this problem? Thanks, *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Fri, Nov 29, 2013 at 9:41 AM, Martin Kosek mko...@redhat.com wrote: On 11/29/2013 03:17 PM, Jakub Hrozek wrote: On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: Jakub, Yes, I could do this. But then the local root account cannot su to local users (without password). But that is actually a normal use-case. I just think local root should not be allowed to transition to a domain user, by default. Fred Ah, in that case I'm not sure if there's an easy solution, at least I don't know any off hand. I think Alexander is right that SELinux would be a good choice. Right. Root could uncomment the pam_rootok.so line anyway if he wanted to access other user's account again. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On 02/26/2014 07:25 AM, Bret Wortman wrote:
# script /tmp/out-script
Script started, file is /tmp/out-script
# ipa help
Script done, file is /tmp/out-script
# cat /tmp/out-script
Script started on Wed 26 Feb 2014 07:18:07 AM EST
# ipa help
Script done on Wed 26 Feb 2014 07:18:14 AM EST
#
So then I tried it using script's -c option to see if that would
make a difference, kind of like strace did:
#script -c 'ipa help' /tmp/out-script2
Script started, file is /tmp/out-script2
Usage: ipa [global-options] COMMAND {command-options]
Manage an IPA domain
Options:
:
:
See ipa COMMAND --help for more information on a specific command.
Script done, file is /tmp/out-script2
# cat /tmp/out-script2
Script started on Wed 26 Feb 2014 07:20:27 AM EST
Usage: ipa [global-options] COMMAND [command-options]
Manage an IPA domain
Options:
:
:
These colons...
Where do they come from. Can it be that something here is interpreted in
strange way?
Can be some kind of weird new line conversion in the output that cause
the shell to go south?
Any strange settings in ENV defining terminal settings?
Can you do any python based output?
See ipa COMMAND --help for more information on a specific command.
Script done on Wed 26 Feb 2014 07:20:28 AM EST
#
It /looks/ like something is behaving differently when input comes
from a tty vice when it doesn't. For grins, I did the same thing using
ipa host-find zw129.damascusgrp.com and got basically the same
result -- an empty log first, then successful completion (including
expected results) using the -c option.
Bret
On 02/25/2014 08:32 PM, Bret Wortman wrote:
I'll try that. And you're right--we've tried a number of sub commands.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Feb 25, 2014, at 8:05 PM, Rob Crittendenrcrit...@redhat.com wrote:
Dmitri Pal wrote:
On 02/25/2014 07:31 PM, Bret Wortman wrote:
Nope, running with strace lets us use the IPA command again with impunity.
Without it, process termination.
A theory. Your data has some output that is treated as escape sequence
that crushes the shell so your connection is closed.
Do you test it with the same command all the time?
Have you tried other commands?
Can you do a user/group/host add?
Can you try other commands?
I think he said it fails with a simple ipa help, which eliminates a whole lot
of the work we do because it does no networking in that case.
Maybe running inside a typescript will show something like weird characters.
rob
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Feb 25, 2014, at 6:06 PM, Rob Crittendenrcrit...@redhat.com wrote:
Bret Wortman wrote:
I don't know if this will be informative or not, but:
# strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com
--
1 host matched
--
Host name: zw129.damascusgrp.com
:
:
#
I then found this pattern occurring a number of times within the (17564
line) output file:
4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0unfinished ...
4237... close resumed ) = 0
4229... mmap resumed ) = 0x7f936aad2000
4229 read(13,unfinished ...
4237 dup2(7, 0)= 0
4237 dup2(10, 1) = 1
4237 dup2(12, 2) = 2
4237 close(7) = 0
4237 close(10) = 0
4237 close(12) = 0
4237 close(3) = 0
4237 close(4) = 0
4237 close(5) = 0
4237 close(6) = 0
4237 close(7) = -1 EBADF (Bad file descriptor)
4237 close(8) = -1 EBADF (Bad file descriptor)
4237 close(9) = -1 EBADF (Bad file descriptor)
4237 close(10) = -1 EBADF (Bad file descriptor)
:
: Continues for a thousand entries or so, then
:
4237 close(1022) = -1 EBADF (Bad file descriptor)
4237 close(1023) = -1 EBADF (Bad file descriptor)
4237 execve(/bin/keyctl, [keyctl, padd, user,
ipa_session_cookie:ad...@damascusgrp.com, @s], [/* 27 vars */]
unfinished ...
Just noise while we fork off and run another process, in this case keyctl to
store the session cookie in the kernel keyring.
So running with strace doesn't result in the session logging out?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users
