subject:"Re\: \[Freeipa\-users\] Error in selinux child\: libsemanage can't parse spaces in AD user names"

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-08-22 Thread Lachlan Musicman

On 18 July 2016 at 18:26, Jakub Hrozek  wrote:

> On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> > Ok, I've just spoken with my colleague that has been involved in the IPA
> > roll out, and he said he thought that override_space wasn't compatible
> with
> > ID overrides?
>
> I haven't tested that to be honest. But just using my knowledge of the
> code as a basis, I would say the two should be compatible, especially
> with 1.14.0 where we decoupled the output from how we store users. But
> again, I haven't tested any of this.
>
> >
> > Either way, since we have a working system we are reticent to make too
> many
> > changes - soon we will have a test system in place and I will be able to
> > check it then?
>
> selinux_provider=none should be an easy workaround if you don't use the
> SELinux labels. I still have an item on my todo list to test this
> locally, I think I will get to that this week.
>


For what it's worth, we implemented the override_space=_ option.

This has failed, of course, because we had a user with an _ in their
username, and sssd went looking for test user instead of test_user, which
caused all kinds of issues.

We have gone back to selinux_provider=none

L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-07-18 Thread Jakub Hrozek

On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> Ok, I've just spoken with my colleague that has been involved in the IPA
> roll out, and he said he thought that override_space wasn't compatible with
> ID overrides?

I haven't tested that to be honest. But just using my knowledge of the
code as a basis, I would say the two should be compatible, especially
with 1.14.0 where we decoupled the output from how we store users. But
again, I haven't tested any of this.

> 
> Either way, since we have a working system we are reticent to make too many
> changes - soon we will have a test system in place and I will be able to
> check it then?

selinux_provider=none should be an easy workaround if you don't use the
SELinux labels. I still have an item on my todo list to test this
locally, I think I will get to that this week.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-07-17 Thread Lachlan Musicman

Ok, I've just spoken with my colleague that has been involved in the IPA
roll out, and he said he thought that override_space wasn't compatible with
ID overrides?

Either way, since we have a working system we are reticent to make too many
changes - soon we will have a test system in place and I will be able to
check it then?

Cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 20:17, Lachlan Musicman  wrote:

> Wont be able to check until Monday morning (Australia's weekend has
> started) but can check, yes.
>
> And the reason I reported to you is because you will have more weight with
> selinux bug tickets than I would.
>
> cheers
> L.
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 15 July 2016 at 18:05, Jakub Hrozek  wrote:
>
>> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote:
>> > On (15/07/16 12:56), Lachlan Musicman wrote:
>> > >This line:
>> > >
>> > >We have SELinux disabled on all of our servers, but we hadn't disabled
>> this
>> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked
>> > >fine.
>> > >
>> > >Should read that we *disabled* selinux.
>> > >
>> > >selinux_provider = none
>> > Could you also try another solution?
>> > put "override_space = _" into "sssd" section in sssd.conf
>> > and restart sssd.
>> >
>> > As a result of this space will be replaced with underscore
>> > and libsemanage should not complain.
>> >
>> > @see man sssd.conf -> override_space
>>
>> This is either a bug in semenage, we should file one and ask the
>> semanage developers if there is a proper way to quote the spaces.
>>
>> But yes, selinux_provider=none would disable this area of code.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-07-15 Thread Lachlan Musicman

Wont be able to check until Monday morning (Australia's weekend has
started) but can check, yes.

And the reason I reported to you is because you will have more weight with
selinux bug tickets than I would.

cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 18:05, Jakub Hrozek  wrote:

> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote:
> > On (15/07/16 12:56), Lachlan Musicman wrote:
> > >This line:
> > >
> > >We have SELinux disabled on all of our servers, but we hadn't disabled
> this
> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked
> > >fine.
> > >
> > >Should read that we *disabled* selinux.
> > >
> > >selinux_provider = none
> > Could you also try another solution?
> > put "override_space = _" into "sssd" section in sssd.conf
> > and restart sssd.
> >
> > As a result of this space will be replaced with underscore
> > and libsemanage should not complain.
> >
> > @see man sssd.conf -> override_space
>
> This is either a bug in semenage, we should file one and ask the
> semanage developers if there is a proper way to quote the spaces.
>
> But yes, selinux_provider=none would disable this area of code.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-07-15 Thread Lukas Slebodnik

On (15/07/16 12:56), Lachlan Musicman wrote:
>This line:
>
>We have SELinux disabled on all of our servers, but we hadn't disabled this
>check in sssd.conf. So we enabled it in sssd.conf and everything worked
>fine.
>
>Should read that we *disabled* selinux.
>
>selinux_provider = none
Could you also try another solution?
put "override_space = _" into "sssd" section in sssd.conf
and restart sssd.

As a result of this space will be replaced with underscore
and libsemanage should not complain.

@see man sssd.conf -> override_space

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

2016-07-14 Thread Lachlan Musicman

This line:

We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.

Should read that we *disabled* selinux.

selinux_provider = none

Cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 15 July 2016 at 11:27, Lachlan Musicman  wrote:

> Hey,
>
> While hunting this sssd/hbac/AD user problem, I noticed in the
> selinux_child.log a lot of errors that look like this:
>
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [get_seuser]
> (0x0020): Cannot query for galaxy
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> context initialized
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [get_seuser]
> (0x0020): Cannot query for simpsonlach...@petermac.org.au
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> context initialized
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [get_seuser]
> (0x0020): Cannot query for madhamshettiwar p...@petermac.org.au
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage]
> (0x0020): expected

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

6 matches

Site Navigation

Mail list logo

Footer information