how to reconfigure gnome from scratch

[Jon LaBadie]

I've been using mate as my DM on Fedora for years.
For about the same number of I've been unable to
login to a gnome session.  I've go no need except
curiosity.  But everytime I select gnome (Xorg,
classic, Wayland, ...) the screen blanks and I
get a full screen literally saying "Opps,
something went wrong".

I can create a new user and login to a gnome
session, so the software is there and functional.
I'm assuming it is something in my configuration
files.  But I've been unable to delete the correct
combination of .dirs and files.

The situation has persisted from about F23 or F24
through F31.  Across 2 new computers where I copied
my home directory to the new systems.

What must I delete to make my user look like a first
time gnome user?

Thanks, stay well,
Jon
-- 
Jon H. LaBadie  jo...@jgcomp.com
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: device names

[Tim via users]

On Tue, 2020-04-14 at 00:26 +0200, Tom H wrote:
> The improvement's when you have a multiple NICs and swap one out. You
> no longer have to edit "/etc/udev/rules.d/.rules" in order
> to have the swapped-in NIC keep the name of the swapped-out NIC.

My understanding of how the device names were generated was that if you
didn't replace a NIC with an identical model, in the exact same spot,
you could well end up with a different device name.

There was an order of how to name things, starting at the top, going
down the list if that scheme wasn't do-able:

Firmware or BIOS can form the device name.

Board location can form the name (derived from things like PCI slot 2).

Number of connectors on the board can be used in forming the name
(adding more details to the above naming scheme).

Heck knows what mine's derived from (enp0s31f6 is the motherboard's own
built in ethernet), and I can never remember that.
 
-- 
 
uname -rsvp
Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: fedora website -- firewall config/setup

[Samuel Sieb]

On 4/13/20 2:28 PM, bruce wrote:
For the firewall, I'm trying to find example/samples of what the 
firewall cmds/services/ports should be to lock the system down. I've 
seen different sites that say different things, so I figured I'd ask 
here as well.


For a normal web server, you only have port 80 and 443.  I usually roll 
my own firewall scripts with fwbuilder because I have complicated setups 
with vlans and various applications.  But you should be good with 
firewalld.  Make sure it's turned on and there are standard commands for 
opening specific ports.  You can look it up or maybe someone else more 
familiar with it could explain.


At the same time, given that I'm new to selinux, if you have 
pointers/thoughts on how to set this up, I'm ready to "test"!! I don't 
want to run a test server with selinux turned off.


Unless you have files in non-standard places or databases, etc, selinux 
should not bother you.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Desktop files in F31

[Samuel Sieb]

On 4/13/20 5:44 PM, Greg Woods wrote:
On Mon, Apr 13, 2020 at 4:47 PM Samuel Sieb > wrote


.desktop files are not really supported any more as things to see or
click on. 

I guess I didn't realize that, since there is still an installable 
extension for turning them on and off.


Which extension is that?


They are intended to be started through the Gnome interface.
Put them in "~/.local/share/applications" and they will show up in the
overview with everything else.

Thanks for that piece of information. That mostly works. It took me a 
few minutes to find them under Applications -> Other, but they are there 
and the icon images are there as well. It will take me a while to get 
used to where they are located now, but I suppose I will eventually get 
used to it.


I'm assuming you're using Gnome Shell, so from the overview you can type 
the name or possibly keywords of the app to select it.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Desktop files in F31

[Greg Woods]

On Mon, Apr 13, 2020 at 4:47 PM Samuel Sieb  wrote

>
> .desktop files are not really supported any more as things to see or
> click on.


I guess I didn't realize that, since there is still an installable
extension for turning them on and off.


> They are intended to be started through the Gnome interface.
> Put them in "~/.local/share/applications" and they will show up in the
> overview with everything else.
>

Thanks for that piece of information. That mostly works. It took me a few
minutes to find them under Applications -> Other, but they are there and
the icon images are there as well. It will take me a while to get used to
where they are located now, but I suppose I will eventually get used to it.



> > 2) When I double click one, the Exec=command is executed, but it also
> > opens a full-screen window that I figured out is "gnome-games".
>
> I hadn't heard of that application before, but that's where the problem is.
> $ xdg-mime query default application/x-desktop
> org.gnome.Games.desktop
>
> If you look in /usr/share/applications/org.gnome.Games.desktop, you can
> see it claims that mimetype.  That does seem like a bad idea.
>

I probably should have thought of just uninstalling it. I am getting older
and I am slipping.

Oddly enough, after having been away from the computer for a couple of
hours, when I got back the desktop icons had disappeared again. Even before
I removed gnome-games and without my having done anything in the meantime.
I wonder if they will reappear again the next time I reboot or log out. OK,
so I restarted gnome-shell, and now they have appeared on the secondary
monitor.

In any event, if that really isn't supported any more, I'll just remove
them from ~/Desktop and get used to finding them in the Applications menu.

Thanks,
--Greg
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: device names

[Joe Zeff]

On 04/13/2020 04:43 PM, Tom Horsley wrote:

Right, but they should have special cased a single NIC system
and just left the name eth0, would have avoided vast amounts
of trouble for people with common desktops that only have
a single NIC.


+1 Informative
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] Re: New Instance errors

[William Brown]

> On 11 Apr 2020, at 07:47, Nick Bright  wrote:
> 
> Greetings,
> 
> I've performed a fresh CentOS 8 installation within VMWare, updated the OS 
> fully, installed 389-ds through yum by: yum module install 
> 389-directory-server:stable/default
> 
> This installed the server, along with the cockpit module. I then used the 
> cockpit module to create an instance. No matter what, every time, it reports 
> "Failed to create instance", but if I refresh the page, the instance is 
> visible in the drop down along with error "This server instance is running, 
> but we can not connect to it. Check LDAPI is properly configured on this 
> instance."
> 
> Then I did some research on the LDAPI error, I tried a number of methods from 
> those search results to enable LDAPI, but all failed with various errors; all 
> essentially being "authentication failed".
> 
> I tried again by removing all instances and starting over from the command 
> line, using "dscreate interactive" to create an instance. This also failed 
> with "Not authorized".
> 
> Surely I am doing something wrong; I can't imagine that the software is just 
> simply broken right out of the package on a fresh installation.
> 
> Any tips or specific documentation links appreciated.

If you are on the system, can you check /etc/dirsrv/slapd-/dse.ldif for the parameter 'nsslapd-ldapifilepath' and see if that is set 
correctly? As well, as mark said, can you provide the package versions? 



> 
> -- 
> ---
>   
> NICK BRIGHT - VICE PRESIDENT OF TECHNOLOGY
>  
> P: 888.332.1616   W: valnet.net   F: Facebook
> 
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. If 
> you have received this email in error please notify the system manager. This 
> message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and delete 
> this e-mail from your system. If you are not the intended recipient you are 
> notified that disclosing, copying, distributing or taking any action in 
> reliance on the contents of this information is strictly prohibited.
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: DNA plugin not working

[William Brown]

Could it be that the server hasn't allocated a DNA range from the DNA master? 

> On 14 Apr 2020, at 05:51, CHAMBERLAIN James  wrote:
> 
> Hi Mark,
> 
> The test user I’m trying to add looks like this:
> 
> dn: uid=testuser1,ou=People,dc=example,dc=com
> uid: testuser1
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> sn: Chamberlain
> gidNumber: 1000
> gecos: James Chamberlain
> cn: James Chamberlain
> homeDirectory: /home/testuser1
> givenName: James
> loginShell: /bin/bash
> 
> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.
> 
> Here’s the clip from the failed add:
> 
> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
> Manager" method=128 version=3
> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
> nentries=0 etime=0.152598 dn="cn=Directory Manager"
> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
> dn="uid=testuser1,ou=People,dc=example,dc=com"
> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
> nentries=0 etime=0.0031312230
> 
> Best regards,
> 
> James Chamberlain
> 
> 
>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
>> 
>> Okay, so logging in DNA stinks in this scenario.  It does a lot of internal 
>> searches and if one of them "fails" you get an operations error.  So we need 
>> to enable other logging...
>> 
>> First what does the entry look like that you are trying to add?
>> 
>> Second, run this ldapmodify
>> 
>> ldapmodify -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-accesslog-level
>> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
>> operations)
>> -
>> replace: nsslapd-plugin-logging
>> nsslapd-plugin-logging: on
>> 
>> 
>> Then add another user, wait 30 seconds for the access log to buffer, and 
>> then provide the access log clip from the failed add.
>> 
>> Thanks,
>> Mark
>> 
>> 
>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
>>> Hi Mark,
>>> 
>>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>>> here’s what I’ve got.
>>> 
>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - dn does not match filter
>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - adding uidNumber to 
>>> uid=testuser1,ou=People,dc=example,dc=com as -2
>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - retrieved value 0 ret 1
>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>>> - Failed to allocate a new ID!! 2
>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>>> Operation failure [1]
>>> 
>>> And here’s the DNA config:
>>> 
>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: UID numbers
>>> dnaType: uidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixAccount)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>> 
>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: GID numbers
>>> dnaType: gidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixGroup)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>> 
>>> Best regards,
>>> 
>>> James
>>> 
>>> 
 On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
 
 Enabling plugin logging will provide a little more detail about what is 
 going wrong:
 
 ldapmodify -D "cn=directory manager" -W
 dn: cn=config
 changetype: modify
 replace: nsslapd-errorlog-level
 nsslapd-errorlog-level: 65536
 
 
 After running the test you can disable the debug plugin logging by setting 
 the log level to zero.
 
 Then share what information is logging when you add a new user.   This is 
 most likely a configuration error so hopefully we can find out what went 
 wrong in your set up.  Can you also provide the DNA config entries?
 
 Thanks,
 
 Mark
 
 On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
> Hi all,
> 
> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
> Everything worked fine in testing, but now that it’s in production I’m 
> seeing the following error:
> 
> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
> 
> I’ve followed the advice in the knowledge base 
> (https://access.redhat.com/solutions/875133), about adding an equality 
> index with an nsMatchingRule of 

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[William Brown]

> On 14 Apr 2020, at 05:22, Kyle Brantley  wrote:
> 
> Log here, but it’s not really any more illuminating: 
> https://paste.centos.org/view/raw/ec0588a0
> And filtered down to just lines that contain ‘sasl’: 
> https://paste.centos.org/view/raw/ea345620
>  
> From what I can tell, the first time the SASL identity is shown in any form, 
> the realm is absent. Timestamp of my “ldapwhois” is 13:04:52. Timestamp of me 
> changing the logging back to 0 is 13:05:42.
>  
 
 - SASL mapping: 
 nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) 
 nsSaslMapFilterTemplate: (cn=\1) 
 nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com 
 
 - Alternative SASL mapping that I'd prefer to use: 
 nsSaslMapRegexString: \(.*\)@AVERAGEURL\.COM 
 nsSaslMapFilterTemplate: (cn=\1) 
 nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com 
 

Hi there,

The SASL mappings that are provided by default make a lot of assumptions, and 
honestly, I don't really like them :) 

1: remove all sasl maps that exist under cn=mapping,cn=sasl,cn=config
2: Create your map as:

cn=krb,cn=mapping,cn=sasl,dc=config
cn: krb
nsSaslMapRegexString: \(.*\)
nsSaslMapBaseDNTemplate: ou=account,dc=
nsSaslMapFilterTemplate: (uid=\1)


3: restart your instance
4: check if that works :) 


According to my notes, there is a bug in sasl where with gssapi/krb it doesn't 
pass the realm through correctly, so your map needs to omit it. 




—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Re: Desktop files in F31

[Samuel Sieb]

On 4/13/20 10:00 AM, Greg Woods wrote:
2) When I double click one, the Exec=command is executed, but it also 
opens a full-screen window that I figured out is "gnome-games".


I left out an important part of the last email.  Unless you're using 
that application, uninstalling it should resolve the issue.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: Desktop files in F31

[Samuel Sieb]

On 4/13/20 10:00 AM, Greg Woods wrote:
The problem I have is with Desktop files (in ~/Desktop). First I didn't 
see them at all, then found with some Googling that I needed to turn off 
display of the Trash icon, which now allows me to see the Desktop files. 
There are two issues:


1) The desktop icons are visible, but the Icons=file line in them seems 
to be ignored.


.desktop files are not really supported any more as things to see or 
click on.  They are intended to be started through the Gnome interface. 
Put them in "~/.local/share/applications" and they will show up in the 
overview with everything else.


2) When I double click one, the Exec=command is executed, but it also 
opens a full-screen window that I figured out is "gnome-games".


I hadn't heard of that application before, but that's where the problem is.
$ xdg-mime query default application/x-desktop
org.gnome.Games.desktop

If you look in /usr/share/applications/org.gnome.Games.desktop, you can 
see it claims that mimetype.  That does seem like a bad idea.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: device names

[Tom Horsley]

On Tue, 14 Apr 2020 00:26:28 +0200
Tom H wrote:

> The improvement's when you have a multiple NICs

Right, but they should have special cased a single NIC system
and just left the name eth0, would have avoided vast amounts
of trouble for people with common desktops that only have
a single NIC.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: device names

[Tom H]

On Sun, Apr 12, 2020 Tom Horsley  wrote:
> On Sun, 12 Apr 2020 Jack Craig wrote:


>> further reading of some RH portal docs, i decided my notion was an
>> unacceptable step backward in techs stream of forward progress.
>
> I consider the "improvement" a step backwards. Certainly for
> a desktop system with one and only one ethernet port. The
> immutable name for a single ethernet port should always
> be "eth0" :-).

The improvement's when you have a multiple NICs and swap one out. You
no longer have to edit "/etc/udev/rules.d/.rules" in order
to have the swapped-in NIC keep the name of the swapped-out NIC.


> (Especially since "immutable" names have changed several times
> with new kernels, switching to systemd in charge instead of
> biosdevname etc).

systemd over-promised in [1] when it claimed "Stable interface names
when kernels or drivers are updated/changed".

In [2], there's a more realistic "Newer versions of udev take more of
these attributes into account, improving (and thus possibly changing)
the names and addresses used for the same devices", assuming that this
is referring to a driver or firmware change.

[1] 
https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

[2] 
https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

fedora website -- firewall config/setup

[bruce]

Hi.

Forgive me! I'm setting up a test webserver/system, and I'm trying to make
sure I get the firewall stuff setup correctly. Actually, I'm trying to make
sure the firewall/selinux is all setup correctly.

For the firewall, I'm trying to find example/samples of what the firewall
cmds/services/ports should be to lock the system down. I've seen different
sites that say different things, so I figured I'd ask here as well.

So, if you have an example config/cmd display I can check out, that would
be cool.

At the same time, given that I'm new to selinux, if you have
pointers/thoughts on how to set this up, I'm ready to "test"!! I don't want
to run a test server with selinux turned off.

If you also have websites that I should check, let me know. I may very well
have missed the exact information I'm searching for.

Thanks!
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: device names

[Tom H]

On Sun, Apr 12, 2020 Roberto Ragusa  wrote:
> On 2020-04-10 20:53, Jack Craig wrote:


>> on F30, i would like to swap enp4s0 to eth0.
>>
>> outside the network ifcfg* files, any other place(file) to update?
>
> Having a proper ifcfg*, including the HWADDR MAC address used to be
> enough (but be sure you rebuild your initrd since renaming happens
> there).
>
> https://docs.fedoraproject.org/en-US/Fedora/25/html/Networking_Guide/sec-Understanding_the_Device_Renaming_Procedure.html
>
> Is that not working anymore?

AFAIK, you can't rename NICs via
/etc/sysconfig/network-scripts/ifcfg-*" any longer. If you use nmcli,
you can set "NAME=name" to refer to "name" in the commands.

Using "net.ifnames=0" at the kernel cmdline is the simplest solution.

But there are other methods:

1) You can rename NICs, NOT_TO "ethX", via

/etc/udev/rules.d/*.rules

or

/etc/systemd/network/*.link

2) You can keep "ethX" via

/etc/systemd/network/99-default.link

in which you set

NamePolicy=kernel

instead of

NamePolicy=keep kernel database onboard slot path

as in

/usr/lib/systemd/network/99-default.link

3) You can keep "ethX" via an empty

/etc/udev/rules.d/80-net-setup-link.rules

but this file was called something else ("80-net-name-slot.rules"?)
previously, so...


> Messing with grub kernel options looks definitely overkill.

Why? It's just one file edit.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] Re: DNA plugin not working

[CHAMBERLAIN James]

Hi Mark,

The test user I’m trying to add looks like this:

dn: uid=testuser1,ou=People,dc=example,dc=com
uid: testuser1
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: Chamberlain
gidNumber: 1000
gecos: James Chamberlain
cn: James Chamberlain
homeDirectory: /home/testuser1
givenName: James
loginShell: /bin/bash

I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.

Here’s the clip from the failed add:

[13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
Manager" method=128 version=3
[13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.152598 dn="cn=Directory Manager"
[13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
dn="uid=testuser1,ou=People,dc=example,dc=com"
[13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
[13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
[13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
nentries=0 etime=0.0031312230

Best regards,

James Chamberlain


> On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
>
> Okay, so logging in DNA stinks in this scenario.  It does a lot of internal 
> searches and if one of them "fails" you get an operations error.  So we need 
> to enable other logging...
>
> First what does the entry look like that you are trying to add?
>
> Second, run this ldapmodify
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-accesslog-level
> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
> operations)
> -
> replace: nsslapd-plugin-logging
> nsslapd-plugin-logging: on
>
>
> Then add another user, wait 30 seconds for the access log to buffer, and then 
> provide the access log clip from the failed add.
>
> Thanks,
> Mark
>
>
> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
>> Hi Mark,
>>
>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>> here’s what I’ve got.
>>
>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - dn does not match filter
>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - adding uidNumber to 
>> uid=testuser1,ou=People,dc=example,dc=com as -2
>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - retrieved value 0 ret 1
>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>> - Failed to allocate a new ID!! 2
>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>> Operation failure [1]
>>
>> And here’s the DNA config:
>>
>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: UID numbers
>> dnaType: uidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixAccount)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: GID numbers
>> dnaType: gidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixGroup)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> Best regards,
>>
>> James
>>
>>
>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>>>
>>> Enabling plugin logging will provide a little more detail about what is 
>>> going wrong:
>>>
>>> ldapmodify -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 65536
>>>
>>>
>>> After running the test you can disable the debug plugin logging by setting 
>>> the log level to zero.
>>>
>>> Then share what information is logging when you add a new user.   This is 
>>> most likely a configuration error so hopefully we can find out what went 
>>> wrong in your set up.  Can you also provide the DNA config entries?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
 Hi all,

 I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
 Everything worked fine in testing, but now that it’s in production I’m 
 seeing the following error:

 ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

 I’ve followed the advice in the knowledge base 
 (https://access.redhat.com/solutions/875133), about adding an equality 
 index with an nsMatchingRule of integerOrderingMatch, but have not seen 
 any difference in the server’s behavior.  Any ideas what I should try next?

 Thanks,

 James
 This email and any attachments are intended solely for the use of the 
 individual or entity to whom it is addressed and may be confidential 
 and/or privileged.
 If you are not one of the 

[389-users] Re: DNA plugin not working

[CHAMBERLAIN James]

Hi Marc,

This is 389-ds-base-1.3.7.5-28.el7_5.x86_64.

# grep number,cn=index /etc/dirsrv/slapd-example/dse.ldif
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

I double-checked that I’d set up an equality index, not just presence, and made 
sure that the index was generated.

# grep -i index /var/log/messages
Apr 13 13:31:44 example ns-slapd: [13/Apr/2020:13:31:44.909683777 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexing attribute: uidnumber
Apr 13 13:31:47 example ns-slapd: [13/Apr/2020:13:31:47.011917422 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 1000 entries (54%).
Apr 13 13:31:47 example ns-slapd: [13/Apr/2020:13:31:47.756062336 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 2000 entries (72%).
Apr 13 13:31:48 example ns-slapd: [13/Apr/2020:13:31:48.844133042 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 3000 entries (74%).
Apr 13 13:31:50 example ns-slapd: [13/Apr/2020:13:31:50.152982540 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 4000 entries (77%).
Apr 13 13:31:51 example ns-slapd: [13/Apr/2020:13:31:51.199900578 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 5000 entries (79%).
Apr 13 13:31:52 example ns-slapd: [13/Apr/2020:13:31:52.271669854 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 6000 entries (81%).
Apr 13 13:31:53 example ns-slapd: [13/Apr/2020:13:31:53.397852294 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 7000 entries (83%).
Apr 13 13:31:54 example ns-slapd: [13/Apr/2020:13:31:54.446263984 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 8000 entries (86%).
Apr 13 13:31:55 example ns-slapd: [13/Apr/2020:13:31:55.569704807 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 9000 entries (88%).
Apr 13 13:31:56 example ns-slapd: [13/Apr/2020:13:31:56.610690562 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 1 entries (90%).
Apr 13 13:31:57 example ns-slapd: [13/Apr/2020:13:31:57.642493349 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 11000 entries (92%).
Apr 13 13:31:58 example ns-slapd: [13/Apr/2020:13:31:58.807418354 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 12000 entries (95%).
Apr 13 13:31:59 example ns-slapd: [13/Apr/2020:13:31:59.487828428 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 13000 entries (97%).

Best regards,

James Chamberlain
SIMULIA Cloud Operations, Networking & Security


> On Apr 13, 2020, at 3:01 PM, Marc Sauton  wrote:
>
> verify there is an equality index for uidnumber and gidnumber, not just 
> presence, in the entries
> dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> which version of 389-ds-base is this about?
> Thanks,
> M.
>
> On Mon, Apr 13, 2020 at 11:42 AM CHAMBERLAIN James 
>  wrote:
> Hi Mark,
>
> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
> here’s what I’ve got.
>
> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - dn does not match filter
> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - retrieved value 0 ret 1
> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
> Failed to allocate a new ID!! 2
> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
> Operation failure [1]
>
> And here’s the DNA config:
>
> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID numbers
> dnaType: uidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixAccount)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: GID numbers
> dnaType: gidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixGroup)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> Best regards,
>
> James
>
>
> > On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
> >
> > Enabling plugin logging will provide a little more detail about what is 
> > going wrong:
> >
> > ldapmodify -D "cn=directory manager" -W
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 65536
> >
> >
> > After running the test you can disable the debug plugin logging by setting 
> > the log level to zero.
> >
> > Then share what information is logging when you add a new user.   This is 
> > most likely a configuration error so hopefully we can find out what went 
> > 

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[Kyle Brantley]

Log here, but it’s not really any more illuminating: 
https://paste.centos.org/view/raw/ec0588a0

And filtered down to just lines that contain ‘sasl’: 
https://paste.centos.org/view/raw/ea345620

 

>From what I can tell, the first time the SASL identity is shown in any form, 
>the realm is absent. Timestamp of my “ldapwhois” is 13:04:52. Timestamp of me 
>changing the logging back to 0 is 13:05:42.

 

Yes – the mapping succeeded – but that’s because I’ve removed the SASL mappings 
that check for the realm in specific.

 

(And sorry for the top-posting… I’m away from the computer where I sent my 
initial mail, I’ll respond in the future in a better format.)

 

Thanks,

--Kyle

 

From: Mark Reynolds  
Sent: Monday, April 13, 2020 12:59 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Kyle Brantley 
Subject: [389-users] Re: Issues with GSSAPI kerberos authentication - realm 
undefined?

 

 

On 4/13/20 2:46 PM, Kyle Brantley wrote:

Thanks, Mark. I can tell that it’s an internal troubleshooting doc – and that’s 
great, thank you!

 

However, I… I don’t believe that I have any issues with my kerberos setup. The 
authentication from a pure krb5 perspective is happening appropriately. The 
tickets are being issued and I see the logs on the KDC confirming as much.

 

We have the pre-auth event:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: NEEDED_PREAUTH: 
kylet...@averageurl.com   for 
krbtgt/averageurl@averageurl.com 
 , Additional pre-authentication 
required

 

The issuance of the kgbtgt ticket:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: ISSUE: authtime 1586803255, 
etypes {rep=aes128-cts-hmac-sha1-96(17), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes128-cts-hmac-sha1-96(17)}, kylet...@averageurl.com 
  for krbtgt/averageurl@averageurl.com 
 

 

And finally, the ticket for ldap/ being issued as well:

kdc.averageurl.com krb5kdc[2433](info): TGS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17))}) 2001:470:xx:dae4: ISSUE: authtime 1586803255, 
etypes {rep=aes128-cts-hmac-sha1-96(17), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes128-cts-hmac-sha1-96(17)}, kylet...@averageurl.com 
  for 
ldap/ldaptest.averageurl@averageurl.com 
 

 

 

The issue appears to be specific to what 389-ds is seeing as the realm:

 

DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)

 

For reasons unknown to me, the realm isn’t being populated internally within 
389-ds when the SASL mapping is taking place, even though kerberos is working 
as it should be.

The realm gets set by the cyrus-sasl library, the DS code has no control over 
it.  

Did you enable trace function call logging from the troubleshooting section of 
that doc?

 

ldapmodify -D "cn=directory manager" -W 
dn: cn=config 
changetype: modify 
replace: nsslapd-errorlog-level 
nsslapd-errorlog-level: 1

 

But beware, this is dramatically slow the server down.  So enable it, run your 
test, and then set the nsslapd-errorlog-level to "0" when you are done.  Please 
share the error log output from this test.

Thanks,

Mark

 

(This is the type of thing that I suspect needs to go on the bug tracker – but 
given how relatively little I know about administration of 389-ds I definitely 
wanted to check here in detail before I went over there.)

 

Thanks,

--Kyle

 

From: Mark Reynolds    
Sent: Monday, April 13, 2020 12:34 PM
To: General discussion list for the 389 Directory server project.  
 <389-users@lists.fedoraproject.org>; 
Kyle Brantley   
Subject: [389-users] Re: Issues with GSSAPI kerberos authentication - realm 
undefined?

 

 

On 4/13/20 2:30 PM, Mark Reynolds wrote:

Sorry not a kerberos expert but this is old doc I used to use to get it 
working.  I would double check your /etc/krb5.conf first though.

Here is that doc

 

I wanted to add this this document was for doing internal testing, so 
permission changes and password storage schemes changes should probably not be 
done in production.  The hope is that it will help figure out what is wrong in 
your setup...

Mark

===

SASL and DS
KDC Server


 - HOST.DOMAIN.COM is usually "localhost.localdomain" for internal testing. 
 Make sure the hostname is lowercase!

   [1]  ssh krbu...@internal.redhat.com   
(password redhat)
   [2]  sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
   [3]  addprinc -randkey ldap/host.domain@example.com 

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[Kyle Brantley]

Thanks, Mark. I can tell that it’s an internal troubleshooting doc – and that’s 
great, thank you!

 

However, I… I don’t believe that I have any issues with my kerberos setup. The 
authentication from a pure krb5 perspective is happening appropriately. The 
tickets are being issued and I see the logs on the KDC confirming as much.

 

We have the pre-auth event:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: NEEDED_PREAUTH: 
kylet...@averageurl.com for krbtgt/averageurl@averageurl.com, Additional 
pre-authentication required

 

The issuance of the kgbtgt ticket:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: ISSUE: authtime 1586803255, 
etypes {rep=aes128-cts-hmac-sha1-96(17), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes128-cts-hmac-sha1-96(17)}, kylet...@averageurl.com for 
krbtgt/averageurl@averageurl.com

 

And finally, the ticket for ldap/ being issued as well:

kdc.averageurl.com krb5kdc[2433](info): TGS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17))}) 2001:470:xx:dae4: ISSUE: authtime 1586803255, 
etypes {rep=aes128-cts-hmac-sha1-96(17), tkt=aes256-cts-hmac-sha1-96(18), 
ses=aes128-cts-hmac-sha1-96(17)}, kylet...@averageurl.com for 
ldap/ldaptest.averageurl@averageurl.com

 

 

The issue appears to be specific to what 389-ds is seeing as the realm:

 

DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)

 

For reasons unknown to me, the realm isn’t being populated internally within 
389-ds when the SASL mapping is taking place, even though kerberos is working 
as it should be.

 

(This is the type of thing that I suspect needs to go on the bug tracker – but 
given how relatively little I know about administration of 389-ds I definitely 
wanted to check here in detail before I went over there.)

 

Thanks,

--Kyle

 

From: Mark Reynolds  
Sent: Monday, April 13, 2020 12:34 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Kyle Brantley 
Subject: [389-users] Re: Issues with GSSAPI kerberos authentication - realm 
undefined?

 

 

On 4/13/20 2:30 PM, Mark Reynolds wrote:

Sorry not a kerberos expert but this is old doc I used to use to get it 
working.  I would double check your /etc/krb5.conf first though.

Here is that doc

 

I wanted to add this this document was for doing internal testing, so 
permission changes and password storage schemes changes should probably not be 
done in production.  The hope is that it will help figure out what is wrong in 
your setup...

Mark

===

SASL and DS
KDC Server


 - HOST.DOMAIN.COM is usually "localhost.localdomain" for internal testing. 
 Make sure the hostname is lowercase!

   [1]  ssh krbu...@internal.redhat.com   
(password redhat)
   [2]  sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
   [3]  addprinc -randkey ldap/host.domain@example.com 
 
   [4]  ktadd -k /opt/ldap.HOST.DOMAIN.COM.keytab 
ldap/host.domain@example.com  
   [5]  addprinc sasltest  -> use redhat as password
   [6]  ktadd -k /opt/sasltest.keytab saslt...@example.com 
 
   [7]  addprinc t001  --> use redhat as password
   [8]  ktadd -k /opt/ldap.t001.keytab t...@example.com 
 
   [9]  exit
   [10] sudo chmod 777 /opt/ldap.HOST.DOMAIN.COM.keytab
   [11] sudo chmod 777 /opt/ldap.t001.keytab
   [12] sudo chmod 777 /opt/sasltest.keytab



DS Server


   - Get the keytabs

   [1]  cd /etc/dirsrv
   [2]  wget ftp://internal.redhat.com/opt/ldap.HOST.DOMAIN.COM.keytab
   [3]  wget ftp://internal.redhat.com/opt/sasltest.keytab
   [4]  wget ftp://internal.redhat.com/opt/ldap.t001.keytab
 
   - Edit /etc/krb5.conf, make sure these settings are included

[libdefaults]

  default_realm: EXAMPLE.COM
  allow_weak_crypto = true (or 'yes')

[realms]

EXAMPLE.COM = {
  kdc = internal.redhat.com:88
  admin_server = internal.redhat.com:749
  default_domain = example.com
}

[domain_realm]
 .redhat.com = EXAMPLE.COM
 redhat.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

  - Edit /etc/sysconfig/dirsrv-INSTANCE

   Add these two lines to

 KRB5_CONFIG=/etc/krb5.conf
 KRB5_KTNAME=/etc/dirsrv/ldap.HOST.DOMAIN.COM.keytab

  - Edit the dse.ldif/ldapmodify.  This assumes there is a backend:  
dc=example,dc=com
 
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: 

[389-users] Re: DNA plugin not working

[Marc Sauton]

verify there is an equality index for uidnumber and gidnumber, not just
presence, in the entries
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
which version of 389-ds-base is this about?
Thanks,
M.

On Mon, Apr 13, 2020 at 11:42 AM CHAMBERLAIN James <
james.chamberl...@3ds.com> wrote:

> Hi Mark,
>
> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level,
> here’s what I’ve got.
>
> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - dn does not match filter
> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - adding uidNumber to
> uid=testuser1,ou=People,dc=example,dc=com as -2
> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - retrieved value 0 ret 1
> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin -
> _dna_pre_op_add - Failed to allocate a new ID!! 2
> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op -
> Operation failure [1]
>
> And here’s the DNA config:
>
> dn: cn=UID numbers,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID numbers
> dnaType: uidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixAccount)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> dn: cn=GID numbers,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: GID numbers
> dnaType: gidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixGroup)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> Best regards,
>
> James
>
>
> > On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
> >
> > Enabling plugin logging will provide a little more detail about what is
> going wrong:
> >
> > ldapmodify -D "cn=directory manager" -W
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 65536
> >
> >
> > After running the test you can disable the debug plugin logging by
> setting the log level to zero.
> >
> > Then share what information is logging when you add a new user.   This
> is most likely a configuration error so hopefully we can find out what went
> wrong in your set up.  Can you also provide the DNA config entries?
> >
> > Thanks,
> >
> > Mark
> >
> > On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
> >> Hi all,
> >>
> >> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.
> Everything worked fine in testing, but now that it’s in production I’m
> seeing the following error:
> >>
> >> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
> >>
> >> I’ve followed the advice in the knowledge base (
> https://access.redhat.com/solutions/875133), about adding an equality
> index with an nsMatchingRule of integerOrderingMatch, but have not seen any
> difference in the server’s behavior.  Any ideas what I should try next?
> >>
> >> Thanks,
> >>
> >> James
> >> This email and any attachments are intended solely for the use of the
> individual or entity to whom it is addressed and may be confidential and/or
> privileged.
> >> If you are not one of the named recipients or have received this email
> in error,
> >> (i) you should not read, disclose, or copy it,
> >> (ii) please notify sender of your receipt by reply email and delete
> this email and all attachments,
> >> (iii) Dassault Systèmes does not accept or assume any liability or
> responsibility for any use of or reliance on this email.
> >>
> >> Please be informed that your personal data are processed according to
> our data privacy policy as described on our website. Should you have any
> questions related to personal data protection, please contact 3DS Data
> Protection Officer at 3ds.compliance-priv...@3ds.com
> >>
> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer
> >>
> >>
> >> ___
> >> 389-users mailing list --
> >> 389-users@lists.fedoraproject.org
> >>
> >> To unsubscribe send an email to
> >> 389-users-le...@lists.fedoraproject.org
> >>
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>
> >> List Guidelines:
> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>
> >> List Archives:
> >>
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > --
> >
> > 389 Directory Server Development Team
> >
>
> This email and any attachments are intended solely for the use of the
> individual or entity to whom it is addressed and may be confidential and/or
> privileged.
>
> If you are not one of the named recipients or have received this email in
> error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply 

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[Mark Reynolds]

On 4/13/20 2:46 PM, Kyle Brantley wrote:


Thanks, Mark. I can tell that it’s an internal troubleshooting doc – 
and that’s great, thank you!


However, I… I don’t believe that I have any issues with my kerberos 
setup. The authentication from a pure krb5 perspective is happening 
appropriately. The tickets are being issued and I see the logs on the 
KDC confirming as much.


We have the pre-auth event:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: NEEDED_PREAUTH: 
kylet...@averageurl.com for krbtgt/averageurl@averageurl.com, 
Additional pre-authentication required


The issuance of the kgbtgt ticket:

kdc.averageurl.com krb5kdc[2432](info): AS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17)}) 2001:470:xx:dae4: ISSUE: authtime 
1586803255, etypes {rep=aes128-cts-hmac-sha1-96(17), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes128-cts-hmac-sha1-96(17)}, 
kylet...@averageurl.com for krbtgt/averageurl@averageurl.com


And finally, the ticket for ldap/ being issued as well:

kdc.averageurl.com krb5kdc[2433](info): TGS_REQ (1 etypes 
{aes128-cts-hmac-sha1-96(17))}) 2001:470:xx:dae4: ISSUE: authtime 
1586803255, etypes {rep=aes128-cts-hmac-sha1-96(17), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes128-cts-hmac-sha1-96(17)}, 
kylet...@averageurl.com for ldap/ldaptest.averageurl@averageurl.com


The issue appears to be specific to what 389-ds is seeing as the realm:

DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)

For reasons unknown to me, the realm isn’t being populated internally 
within 389-ds when the SASL mapping is taking place, even though 
kerberos is working as it should be.


The realm gets set by the cyrus-sasl library, the DS code has no control 
over it.


Did you enable trace function call logging from the troubleshooting 
section of that doc?



ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 1


But beware, this is dramatically slow the server down.  So enable it, 
run your test, and then set the nsslapd-errorlog-level to "0" when you 
are done.  Please share the error log output from this test.


Thanks,

Mark

(This is the type of thing that I suspect needs to go on the bug 
tracker – but given how relatively little I know about administration 
of 389-ds I definitely wanted to check here in detail before I went 
over there.)


Thanks,

--Kyle

*From:* Mark Reynolds 
*Sent:* Monday, April 13, 2020 12:34 PM
*To:* General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Kyle Brantley 
*Subject:* [389-users] Re: Issues with GSSAPI kerberos authentication 
- realm undefined?


On 4/13/20 2:30 PM, Mark Reynolds wrote:

Sorry not a kerberos expert but this is old doc I used to use to
get it working.  I would double check your /etc/krb5.conf first
though.

Here is that doc

I wanted to add this this document was for doing internal testing, so 
permission changes and password storage schemes changes should 
probably not be done in production.  The hope is that it will help 
figure out what is wrong in your setup...


Mark

===

SASL and DS
KDC Server


 - HOST.DOMAIN.COM is usually "localhost.localdomain" for
internal testing.  Make sure the hostname is lowercase!

   [1]  ssh krbu...@internal.redhat.com
 (password redhat)
   [2]  sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
   [3]  addprinc -randkey ldap/host.domain@example.com

   [4]  ktadd -k /opt/ldap.HOST.DOMAIN.COM.keytab
ldap/host.domain@example.com

   [5]  addprinc sasltest  -> use redhat as password
   [6]  ktadd -k /opt/sasltest.keytab saslt...@example.com

   [7]  addprinc t001  --> use redhat as password
   [8]  ktadd -k /opt/ldap.t001.keytab t...@example.com

   [9]  exit
   [10] sudo chmod 777 /opt/ldap.HOST.DOMAIN.COM.keytab
   [11] sudo chmod 777 /opt/ldap.t001.keytab
   [12] sudo chmod 777 /opt/sasltest.keytab



DS Server


   - Get the keytabs

   [1]  cd /etc/dirsrv
   [2]  wget ftp://internal.redhat.com/opt/ldap.HOST.DOMAIN.COM.keytab
   [3]  wget ftp://internal.redhat.com/opt/sasltest.keytab
   [4]  wget ftp://internal.redhat.com/opt/ldap.t001.keytab

   - Edit */etc/krb5.conf*, make sure these settings are included

    [libdefaults]

  default_realm: EXAMPLE.COM
  allow_weak_crypto = true (or 'yes')

    [realms]

    EXAMPLE.COM = {
  kdc = internal.redhat.com:88
  admin_server = internal.redhat.com:749
  default_domain = example.com
    }

    [domain_realm]
 .redhat.com = EXAMPLE.COM
   

[389-users] Re: DNA plugin not working

[Mark Reynolds]

Okay, so logging in DNA stinks in this scenario.  It does a lot of 
internal searches and if one of them "fails" you get an operations 
error.  So we need to enable other logging...


First what does the entry look like that you are trying to add?

Second, run this ldapmodify

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on


Then add another user, wait 30 seconds for the access log to buffer, and 
then provide the access log clip from the failed add.


Thanks,
Mark


On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:

Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James



On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:

Enabling plugin logging will provide a little more detail about what is going 
wrong:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by setting the 
log level to zero.

Then share what information is logging when you add a new user.   This is most 
likely a configuration error so hopefully we can find out what went wrong in 
your set up.  Can you also provide the DNA config entries?

Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
Everything worked fine in testing, but now that it’s in production I’m seeing 
the following error:

ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality index 
with an nsMatchingRule of integerOrderingMatch, but have not seen any 
difference in the server’s behavior.  Any ideas what I should try next?

Thanks,

James
This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,
(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.

Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com

For other languages, go to https://www.3ds.com/terms/email-disclaimer


___
389-users mailing list --
389-users@lists.fedoraproject.org

To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team


This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all 

Re: SELinux is blocking hibernate

[Zdenek Pytela]

On Mon, Apr 13, 2020 at 8:23 PM Sreyan Chakravarty 
wrote:

> Edit:
> > The message from the troubleshooter suggests that you run two commands
> > to get around the issue until it's fixed.  Just follow them and you'll
> > be OK.
>
>
Can you please explain what they are doing, I don't know anything about
> SELinux.
>

SELinux only knows about labels, type is the main part. The init_t is a
type of a process. It requested an access to a resource which was denied by
kernel, according to SELinux rules. In the report, we can see a request to
read a file with type swapfile_t.type

If you create a file with the suggested content and insert it as a custom
SELinux module, it will allow a group of common permissions required to
open and read a file. This change persists boot.


> Also how do I reverse the commands once the bug is fixed in upstream ?
>
Remove the module:

semodule -r local_init_swapfile

Any time, you can list modules, and possibly narrow the list:

semodule -lfull | grep local_
400 local_init_swapfile cil



>
> On Mon, Apr 13, 2020 at 11:50 PM Sreyan Chakravarty 
> wrote:
>
>> Can you please explain what they are doing, I don't know anything about
>> SELinux.
>>
>> Also how do I reverse the commands once the bug is fixed in upstream ?
>>
>> On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff  wrote:
>>
>>> On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
>>> > I don't know a whole lot about SELinux, do I have to add a label or
>>> > something?
>>>
>>> The message from the troubleshooter suggests that you run two commands
>>> to get around the issue until it's fixed.  Just follow them and you'll
>>> be OK.
>>> ___
>>> users mailing list -- users@lists.fedoraproject.org
>>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>>>
>>
>>
>> --
>> Regards,
>> Sreyan Chakravarty
>>
>
>
> --
> Regards,
> Sreyan Chakravarty
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 

Zdenek Pytela
Security controls team, sst_platform_security
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] Re: DNA plugin not working

[CHAMBERLAIN James]

Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James


> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>
> Enabling plugin logging will provide a little more detail about what is going 
> wrong:
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 65536
>
>
> After running the test you can disable the debug plugin logging by setting 
> the log level to zero.
>
> Then share what information is logging when you add a new user.   This is 
> most likely a configuration error so hopefully we can find out what went 
> wrong in your set up.  Can you also provide the DNA config entries?
>
> Thanks,
>
> Mark
>
> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
>> Hi all,
>>
>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
>> Everything worked fine in testing, but now that it’s in production I’m 
>> seeing the following error:
>>
>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
>>
>> I’ve followed the advice in the knowledge base 
>> (https://access.redhat.com/solutions/875133), about adding an equality index 
>> with an nsMatchingRule of integerOrderingMatch, but have not seen any 
>> difference in the server’s behavior.  Any ideas what I should try next?
>>
>> Thanks,
>>
>> James
>> This email and any attachments are intended solely for the use of the 
>> individual or entity to whom it is addressed and may be confidential and/or 
>> privileged.
>> If you are not one of the named recipients or have received this email in 
>> error,
>> (i) you should not read, disclose, or copy it,
>> (ii) please notify sender of your receipt by reply email and delete this 
>> email and all attachments,
>> (iii) Dassault Systèmes does not accept or assume any liability or 
>> responsibility for any use of or reliance on this email.
>>
>> Please be informed that your personal data are processed according to our 
>> data privacy policy as described on our website. Should you have any 
>> questions related to personal data protection, please contact 3DS Data 
>> Protection Officer at 3ds.compliance-priv...@3ds.com
>>
>> For other languages, go to https://www.3ds.com/terms/email-disclaimer
>>
>>
>> ___
>> 389-users mailing list --
>> 389-users@lists.fedoraproject.org
>>
>> To unsubscribe send an email to
>> 389-users-le...@lists.fedoraproject.org
>>
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> --
>
> 389 Directory Server Development Team
>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[Mark Reynolds]

On 4/13/20 2:30 PM, Mark Reynolds wrote:


Sorry not a kerberos expert but this is old doc I used to use to get 
it working.  I would double check your /etc/krb5.conf first though.


Here is that doc


I wanted to add this this document was for doing internal testing, so 
permission changes and password storage schemes changes should probably 
not be done in production.  The hope is that it will help figure out 
what is wrong in your setup...


Mark


===

SASL and DS
KDC Server


 - HOST.DOMAIN.COM is usually "localhost.localdomain" for internal 
testing.  Make sure the hostname is lowercase!


   [1]  ssh krbu...@internal.redhat.com (password redhat)
   [2]  sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
   [3]  addprinc -randkey ldap/host.domain@example.com
   [4]  ktadd -k /opt/ldap.HOST.DOMAIN.COM.keytab 
ldap/host.domain@example.com

   [5]  addprinc sasltest  -> use redhat as password
   [6]  ktadd -k /opt/sasltest.keytab saslt...@example.com
   [7]  addprinc t001  --> use redhat as password
   [8]  ktadd -k /opt/ldap.t001.keytab t...@example.com
   [9]  exit
   [10] sudo chmod 777 /opt/ldap.HOST.DOMAIN.COM.keytab
   [11] sudo chmod 777 /opt/ldap.t001.keytab
   [12] sudo chmod 777 /opt/sasltest.keytab



DS Server


   - Get the keytabs

   [1]  cd /etc/dirsrv
   [2]  wget ftp://internal.redhat.com/opt/ldap.HOST.DOMAIN.COM.keytab
   [3]  wget ftp://internal.redhat.com/opt/sasltest.keytab
   [4]  wget ftp://internal.redhat.com/opt/ldap.t001.keytab

   - Edit */etc/krb5.conf*, make sure these settings are included

    [libdefaults]

  default_realm: EXAMPLE.COM
  allow_weak_crypto = true (or 'yes')

    [realms]

    EXAMPLE.COM = {
  kdc = internal.redhat.com:88
  admin_server = internal.redhat.com:749
  default_domain = example.com
    }

    [domain_realm]
 .redhat.com = EXAMPLE.COM
 redhat.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

  - Edit /etc/sysconfig/dirsrv-INSTANCE

   Add these two lines to

 KRB5_CONFIG=/etc/krb5.conf
 KRB5_KTNAME=/etc/dirsrv/ldap.HOST.DOMAIN.COM.keytab

  - Edit the dse.ldif/ldapmodify.  This assumes there is a backend:  
dc=example,dc=com


dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=config
changetype: modify
add: passwordstoragescheme
passwordstoragescheme: clear

  - Add our user:

dn: uid=t001,ou=people,dc=example,dc=com
uid: t001
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: 001
cn: test 001
mail: t...@example.com

Testing


   [1]  cd /etc/dirsrv
   [2]  kinit -k -t ./ldap.t001.keytab t...@example.com
   [3]  klist

 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: t...@example.com

 Valid starting Expires    Service principal
 02/08/10 14:29:33  02/09/10 14:29:33 krbtgt/example@example.com
 renew until 02/08/10 14:29:33

   [4]  ldapsearch -h HOST.DOMAIN.COM -p 389  -b "dc=example,dc=com" 
-v -LLL -Y GSSAPI "uid=*" dn


   [5]  klist

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: t...@example.com

    Valid starting Expires    Service principal
    02/08/10 16:52:14  02/09/10 16:52:14 krbtgt/example@example.com
    renew until 02/08/10 16:52:14
    02/08/10 16:52:20  02/09/10 16:52:14 ldap/host.domain@example.com
    renew until 02/08/10 16:52:14


Troubleshooting


   [1]  To verify the DS server does use the user kerberos ticket for 
authentication, log on kdc server (internal.redhat.com), and tail -f 
/var/log/krb5kdc.log You should see following msgs in log:


    - The first msg means the usr "t001" does get valid kerberos 
ticket from kdc server
    - The second msg means the server which use 
"ldap/internal.redhat@example.com" is connect with kdc for user 
authentication


   Feb 08 16:46:14 internal.redhat.com krb5kdc[2726](info): AS_REQ (12 
etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.16.96.80: ISSUE: 
authtime 1265665574, etypes {rep=1 tkt=16 ses=16}, t...@example.com 
for krbtgt/example@example.com


   Feb 08 16:48:34 internal.redhat.com krb5kdc[2726](info): TGS_REQ (7 
etypes {18 17 16 23 1 3 2}) 10.16.96.80: ISSUE: authtime 1265665574, 
etypes {rep=16 tkt=16 ses=16}, t...@example.com for 
ldap/host.domain.com@example.com


   [2]  ldapsearch issues

  

Re: SELinux is blocking hibernate

[Joe Zeff]

On 04/13/2020 12:20 PM, Sreyan Chakravarty wrote:
Can you please explain what they are doing, I don't know anything about 
SELinux.




Good question.  The first command creates an exception for SELinux that 
allows your system to work until the bug is fixed and the second one 
installs it.  I'm no expert, and I'm sure that somebody will jump in and 
correct me if needed.



Also how do I reverse the commands once the bug is fixed in upstream ?


Another good question.  You won't need to.  It will just sit there, 
ignored, until an update comes along that removes it.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] Re: Issues with GSSAPI kerberos authentication - realm undefined?

[Mark Reynolds]

Sorry not a kerberos expert but this is old doc I used to use to get it 
working.  I would double check your /etc/krb5.conf first though.


Here is that doc


===

SASL and DS
KDC Server


 - HOST.DOMAIN.COM is usually "localhost.localdomain" for internal 
testing.  Make sure the hostname is lowercase!


   [1]  ssh krbu...@internal.redhat.com (password redhat)
   [2]  sudo /usr/kerberos/sbin/kadmin.local -r EXAMPLE.COM
   [3]  addprinc -randkey ldap/host.domain@example.com
   [4]  ktadd -k /opt/ldap.HOST.DOMAIN.COM.keytab 
ldap/host.domain@example.com

   [5]  addprinc sasltest  -> use redhat as password
   [6]  ktadd -k /opt/sasltest.keytab saslt...@example.com
   [7]  addprinc t001  --> use redhat as password
   [8]  ktadd -k /opt/ldap.t001.keytab t...@example.com
   [9]  exit
   [10] sudo chmod 777 /opt/ldap.HOST.DOMAIN.COM.keytab
   [11] sudo chmod 777 /opt/ldap.t001.keytab
   [12] sudo chmod 777 /opt/sasltest.keytab



DS Server


   - Get the keytabs

   [1]  cd /etc/dirsrv
   [2]  wget ftp://internal.redhat.com/opt/ldap.HOST.DOMAIN.COM.keytab
   [3]  wget ftp://internal.redhat.com/opt/sasltest.keytab
   [4]  wget ftp://internal.redhat.com/opt/ldap.t001.keytab

   - Edit */etc/krb5.conf*, make sure these settings are included

    [libdefaults]

  default_realm: EXAMPLE.COM
  allow_weak_crypto = true (or 'yes')

    [realms]

    EXAMPLE.COM = {
  kdc = internal.redhat.com:88
  admin_server = internal.redhat.com:749
  default_domain = example.com
    }

    [domain_realm]
 .redhat.com = EXAMPLE.COM
 redhat.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

  - Edit /etc/sysconfig/dirsrv-INSTANCE

   Add these two lines to

 KRB5_CONFIG=/etc/krb5.conf
 KRB5_KTNAME=/etc/dirsrv/ldap.HOST.DOMAIN.COM.keytab

  - Edit the dse.ldif/ldapmodify.  This assumes there is a backend:  
dc=example,dc=com


dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
changetype: modify
replace: nsSaslMapBaseDNTemplate
nsSaslMapBaseDNTemplate: dc=example,dc=com

dn: cn=config
changetype: modify
add: passwordstoragescheme
passwordstoragescheme: clear

  - Add our user:

dn: uid=t001,ou=people,dc=example,dc=com
uid: t001
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: 001
cn: test 001
mail: t...@example.com

Testing


   [1]  cd /etc/dirsrv
   [2]  kinit -k -t ./ldap.t001.keytab t...@example.com
   [3]  klist

 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: t...@example.com

 Valid starting Expires    Service principal
 02/08/10 14:29:33  02/09/10 14:29:33 krbtgt/example@example.com
 renew until 02/08/10 14:29:33

   [4]  ldapsearch -h HOST.DOMAIN.COM -p 389  -b "dc=example,dc=com" -v 
-LLL -Y GSSAPI "uid=*" dn


   [5]  klist

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: t...@example.com

    Valid starting Expires    Service principal
    02/08/10 16:52:14  02/09/10 16:52:14 krbtgt/example@example.com
    renew until 02/08/10 16:52:14
    02/08/10 16:52:20  02/09/10 16:52:14 ldap/host.domain@example.com
    renew until 02/08/10 16:52:14


Troubleshooting


   [1]  To verify the DS server does use the user kerberos ticket for 
authentication, log on kdc server (internal.redhat.com), and tail -f 
/var/log/krb5kdc.log You should see following msgs in log:


    - The first msg means the usr "t001" does get valid kerberos 
ticket from kdc server
    - The second msg means the server which use 
"ldap/internal.redhat@example.com" is connect with kdc for user 
authentication


   Feb 08 16:46:14 internal.redhat.com krb5kdc[2726](info): AS_REQ (12 
etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.16.96.80: ISSUE: authtime 
1265665574, etypes {rep=1 tkt=16 ses=16}, t...@example.com for 
krbtgt/example@example.com


   Feb 08 16:48:34 internal.redhat.com krb5kdc[2726](info): TGS_REQ (7 
etypes {18 17 16 23 1 3 2}) 10.16.96.80: ISSUE: authtime 1265665574, 
etypes {rep=16 tkt=16 ses=16}, t...@example.com for 
ldap/host.domain.com@example.com


   [2]  ldapsearch issues

  [a] make sure you use -h ""

  [b] error:

    ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Unknown error)


    cause:  

[389-users] Re: DNA plugin not working

[Mark Reynolds]

Enabling plugin logging will provide a little more detail about what is 
going wrong:


ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by 
setting the log level to zero.


Then share what information is logging when you add a new user. This is 
most likely a configuration error so hopefully we can find out what went 
wrong in your set up.  Can you also provide the DNA config entries?


Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. 
 Everything worked fine in testing, but now that it’s in production 
I’m seeing the following error:


ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality 
index with an nsMatchingRule of integerOrderingMatch, but have not 
seen any difference in the server’s behavior.  Any ideas what I should 
try next?


Thanks,

James

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential 
and/or privileged.


If you are not one of the named recipients or have received this email 
in error,


(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete 
this email and all attachments,


(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.



Please be informed that your personal data are processed according to 
our data privacy policy as described on our website. Should you have 
any questions related to personal data protection, please contact 3DS 
Data Protection Officer at 3ds.compliance-priv...@3ds.com 




For other languages, go to https://www.3ds.com/terms/email-disclaimer


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


--

389 Directory Server Development Team

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

Edit:
> The message from the troubleshooter suggests that you run two commands
> to get around the issue until it's fixed.  Just follow them and you'll
> be OK.

Can you please explain what they are doing, I don't know anything about
SELinux.

Also how do I reverse the commands once the bug is fixed in upstream ?


On Mon, Apr 13, 2020 at 11:50 PM Sreyan Chakravarty 
wrote:

> Can you please explain what they are doing, I don't know anything about
> SELinux.
>
> Also how do I reverse the commands once the bug is fixed in upstream ?
>
> On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff  wrote:
>
>> On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
>> > I don't know a whole lot about SELinux, do I have to add a label or
>> > something?
>>
>> The message from the troubleshooter suggests that you run two commands
>> to get around the issue until it's fixed.  Just follow them and you'll
>> be OK.
>> ___
>> users mailing list -- users@lists.fedoraproject.org
>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>>
>
>
> --
> Regards,
> Sreyan Chakravarty
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

Can you please explain what they are doing, I don't know anything about
SELinux.

Also how do I reverse the commands once the bug is fixed in upstream ?

On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff  wrote:

> On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
> > I don't know a whole lot about SELinux, do I have to add a label or
> > something?
>
> The message from the troubleshooter suggests that you run two commands
> to get around the issue until it's fixed.  Just follow them and you'll
> be OK.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

Could you please explain what:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))

is doing ?

Am I suppose to paste the above as is in the file ? is swapfile_t the name
of my swap file or is it a SELinux attribute ?

On Mon, Apr 13, 2020 at 11:29 PM Zdenek Pytela  wrote:

>
>
> On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty 
> wrote:
>
>> I have just configured a 8GB swap file on my Fedora 31 laptop. But it
>> seems that SELinux is blocking access to the swap file.
>>
>> SELinux is preventing systemd-sleep from read access on the file
>> fedora.swap.
>>
>> *  Plugin catchall (100. confidence) suggests
>> **
>>
>> If you believe that systemd-sleep should be allowed read access on the
>> fedora.swap file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
>> # semodule -X 300 -i my-systemdsleep.pp
>>
>> Additional Information:
>> Source Contextsystem_u:system_r:init_t:s0
>> Target Contextunconfined_u:object_r:swapfile_t:s0
>> Target Objectsfedora.swap [ file ]
>> Sourcesystemd-sleep
>> Source Path   systemd-sleep
>> Port  
>> Host  localhost.HPNotebook
>> Source RPM Packages
>> Target RPM Packages
>> SELinux Policy RPMselinux-policy-3.14.4-50.fc31.noarch
>> Local Policy RPM
>>  selinux-policy-targeted-3.14.4-50.fc31.noarch
>> Selinux Enabled   True
>> Policy Type   targeted
>> Enforcing ModeEnforcing
>> Host Name localhost.HPNotebook
>> Platform  Linux localhost.HPNotebook
>> 5.5.15-200.fc31.x86_64
>>   #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
>> x86_64
>> Alert Count   1
>> First Seen2020-04-13 21:12:22 IST
>> Last Seen 2020-04-13 21:12:22 IST
>> Local ID  39955636-b570-49ae-9286-ae92b49dc1c7
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1586792542.56:418): avc:  denied  { read } for
>>  pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
>> scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
>>
>>
>> Hash: systemd-sleep,init_t,swapfile_t,file,read
>>
>> --
>>
>> The above is the message I got from the SELinux trouble shooter.
>>
>> This is the screenshot of the problem: https://imgur.com/a/1x55clI
>>
>> What can I do ?
>>
>> I don't know a whole lot about SELinux, do I have to add a label or
>> something?
>>
> Hi,
>
> There has already been reported a bugzilla:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1797543
>
> A new domain is needed to confine systemd-sleep. As a temporary
> workaround, you can create a file with the following content:
>
> (allow init_t swapfile_t (file (getattr open read ioctl lock)))
>
> insert as a custom policy module:
>
> semodule -i local_init_swapfile.cil
>
> and then remove it once the policy is updated.
>
>
>> Please help.
>>
>> Thanks.
>> Regards,
>> Sreyan Chakravarty
>> ___
>> users mailing list -- users@lists.fedoraproject.org
>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>>
>
>
> --
>
> Zdenek Pytela
> Security controls team, sst_platform_security
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

I saw a pull request in the comments of the bug, did that solve the problem?

On Mon, Apr 13, 2020 at 11:29 PM Zdenek Pytela  wrote:

>
>
> On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty 
> wrote:
>
>> I have just configured a 8GB swap file on my Fedora 31 laptop. But it
>> seems that SELinux is blocking access to the swap file.
>>
>> SELinux is preventing systemd-sleep from read access on the file
>> fedora.swap.
>>
>> *  Plugin catchall (100. confidence) suggests
>> **
>>
>> If you believe that systemd-sleep should be allowed read access on the
>> fedora.swap file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
>> # semodule -X 300 -i my-systemdsleep.pp
>>
>> Additional Information:
>> Source Contextsystem_u:system_r:init_t:s0
>> Target Contextunconfined_u:object_r:swapfile_t:s0
>> Target Objectsfedora.swap [ file ]
>> Sourcesystemd-sleep
>> Source Path   systemd-sleep
>> Port  
>> Host  localhost.HPNotebook
>> Source RPM Packages
>> Target RPM Packages
>> SELinux Policy RPMselinux-policy-3.14.4-50.fc31.noarch
>> Local Policy RPM
>>  selinux-policy-targeted-3.14.4-50.fc31.noarch
>> Selinux Enabled   True
>> Policy Type   targeted
>> Enforcing ModeEnforcing
>> Host Name localhost.HPNotebook
>> Platform  Linux localhost.HPNotebook
>> 5.5.15-200.fc31.x86_64
>>   #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
>> x86_64
>> Alert Count   1
>> First Seen2020-04-13 21:12:22 IST
>> Last Seen 2020-04-13 21:12:22 IST
>> Local ID  39955636-b570-49ae-9286-ae92b49dc1c7
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1586792542.56:418): avc:  denied  { read } for
>>  pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
>> scontext=system_u:system_r:init_t:s0
>> tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
>>
>>
>> Hash: systemd-sleep,init_t,swapfile_t,file,read
>>
>> --
>>
>> The above is the message I got from the SELinux trouble shooter.
>>
>> This is the screenshot of the problem: https://imgur.com/a/1x55clI
>>
>> What can I do ?
>>
>> I don't know a whole lot about SELinux, do I have to add a label or
>> something?
>>
> Hi,
>
> There has already been reported a bugzilla:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1797543
>
> A new domain is needed to confine systemd-sleep. As a temporary
> workaround, you can create a file with the following content:
>
> (allow init_t swapfile_t (file (getattr open read ioctl lock)))
>
> insert as a custom policy module:
>
> semodule -i local_init_swapfile.cil
>
> and then remove it once the policy is updated.
>
>
>> Please help.
>>
>> Thanks.
>> Regards,
>> Sreyan Chakravarty
>> ___
>> users mailing list -- users@lists.fedoraproject.org
>> To unsubscribe send an email to users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>>
>
>
> --
>
> Zdenek Pytela
> Security controls team, sst_platform_security
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Joe Zeff]

On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
I don't know a whole lot about SELinux, do I have to add a label or 
something?


The message from the troubleshooter suggests that you run two commands 
to get around the issue until it's fixed.  Just follow them and you'll 
be OK.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Zdenek Pytela]

On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty 
wrote:

> I have just configured a 8GB swap file on my Fedora 31 laptop. But it
> seems that SELinux is blocking access to the swap file.
>
> SELinux is preventing systemd-sleep from read access on the file
> fedora.swap.
>
> *  Plugin catchall (100. confidence) suggests
> **
>
> If you believe that systemd-sleep should be allowed read access on the
> fedora.swap file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
> # semodule -X 300 -i my-systemdsleep.pp
>
> Additional Information:
> Source Contextsystem_u:system_r:init_t:s0
> Target Contextunconfined_u:object_r:swapfile_t:s0
> Target Objectsfedora.swap [ file ]
> Sourcesystemd-sleep
> Source Path   systemd-sleep
> Port  
> Host  localhost.HPNotebook
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPMselinux-policy-3.14.4-50.fc31.noarch
> Local Policy RPM  selinux-policy-targeted-3.14.4-50.fc31.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModeEnforcing
> Host Name localhost.HPNotebook
> Platform  Linux localhost.HPNotebook
> 5.5.15-200.fc31.x86_64
>   #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
> x86_64
> Alert Count   1
> First Seen2020-04-13 21:12:22 IST
> Last Seen 2020-04-13 21:12:22 IST
> Local ID  39955636-b570-49ae-9286-ae92b49dc1c7
>
> Raw Audit Messages
> type=AVC msg=audit(1586792542.56:418): avc:  denied  { read } for
>  pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
>
>
> Hash: systemd-sleep,init_t,swapfile_t,file,read
>
> --
>
> The above is the message I got from the SELinux trouble shooter.
>
> This is the screenshot of the problem: https://imgur.com/a/1x55clI
>
> What can I do ?
>
> I don't know a whole lot about SELinux, do I have to add a label or
> something?
>
Hi,

There has already been reported a bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1797543

A new domain is needed to confine systemd-sleep. As a temporary workaround,
you can create a file with the following content:

(allow init_t swapfile_t (file (getattr open read ioctl lock)))

insert as a custom policy module:

semodule -i local_init_swapfile.cil

and then remove it once the policy is updated.


> Please help.
>
> Thanks.
> Regards,
> Sreyan Chakravarty
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 

Zdenek Pytela
Security controls team, sst_platform_security
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

[389-users] DNA plugin not working

[CHAMBERLAIN James]

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
Everything worked fine in testing, but now that it’s in production I’m seeing 
the following error:

ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality index 
with an nsMatchingRule of integerOrderingMatch, but have not seen any 
difference in the server’s behavior.  Any ideas what I should try next?

Thanks,

James

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[sixpack13]

On 13.04.20 19:00, Sreyan Chakravarty wrote:



You can generate a local policy module to allow this access.
Do
allow this access for now by executing:



# ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
# semodule -X 300 -i my-systemdsleep.pp


...

and what happens if you perform the above two commands (everyone with 
"sudo" prefixed)


sudo ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep

sudo semodule -X 300 -i my-systemdsleep.pp


and test hibernate


--
sixpack13
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

Is there no way to hibernate using SELinux Enforcing ??
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Desktop files in F31

[Greg Woods]

I just had to replace the SSD in my laptop, which for reasons that would
deserve a discussion thread of their own, I ended up having to do a
complete reinstall. Then I restored all my home directory files. So what I
have is a clean F31, but my own account from the old F30 system was
restored. I am using "GNOME on Xorg" as the desktop environment.

The problem I have is with Desktop files (in ~/Desktop). First I didn't see
them at all, then found with some Googling that I needed to turn off
display of the Trash icon, which now allows me to see the Desktop files.
There are two issues:

1) The desktop icons are visible, but the Icons=file line in them seems to
be ignored.
2) When I double click one, the Exec=command is executed, but it also opens
a full-screen window that I figured out is "gnome-games".

For #1, I first did a little research with dnf and discovered that I needed
to install the "comps-extras" package to bring back the files in
/usr/share/pixmaps/comps . But this did not fix the issue, even after I
restarted gnome-shell (with ALT-F2 and "r"). So I logged out and back in
again, but no joy. I did check to ensure that my account can read the
specified image files.

For #2, I would like to know how I can stop the execution of gnome-games.
With a little trial and error, I discovered that if I iconify the
gnome-games window the first time it comes up, then the Desktop icons
double-click-execute properly, but if I instead kill the gnome-games
window, then it pops up again next time I double-click an icon.

A sample Desktop file is below. Both issues occur whether or not I have the
leading "#!" line.

#!/usr/bin/env xdg-open

[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=cobweb
Name[en_US]=cobweb
Exec=xterm -sb -T cobweb -bg forestgreen -fg white -e ssh -o 'FallBackToRsh
no' -X cobweb -l greg
Icon=/usr/share/pixmaps/fedora-logo-sprite.png
Terminal=false
MultipleArgs=false
Type=Application
GenericName[en_US]=cobweb

Thanks for any pointers.

--Greg
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: SELinux is blocking hibernate

[Sreyan Chakravarty]

Look like is an existing bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543

In SELinux are there any ways of adding domains ?

On Mon, Apr 13, 2020 at 10:21 PM Sreyan Chakravarty 
wrote:

> I have just configured a 8GB swap file on my Fedora 31 laptop. But it
> seems that SELinux is blocking access to the swap file.
>
> SELinux is preventing systemd-sleep from read access on the file
> fedora.swap.
>
> *  Plugin catchall (100. confidence) suggests
> **
>
> If you believe that systemd-sleep should be allowed read access on the
> fedora.swap file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
> # semodule -X 300 -i my-systemdsleep.pp
>
> Additional Information:
> Source Contextsystem_u:system_r:init_t:s0
> Target Contextunconfined_u:object_r:swapfile_t:s0
> Target Objectsfedora.swap [ file ]
> Sourcesystemd-sleep
> Source Path   systemd-sleep
> Port  
> Host  localhost.HPNotebook
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPMselinux-policy-3.14.4-50.fc31.noarch
> Local Policy RPM  selinux-policy-targeted-3.14.4-50.fc31.noarch
> Selinux Enabled   True
> Policy Type   targeted
> Enforcing ModeEnforcing
> Host Name localhost.HPNotebook
> Platform  Linux localhost.HPNotebook
> 5.5.15-200.fc31.x86_64
>   #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
> x86_64
> Alert Count   1
> First Seen2020-04-13 21:12:22 IST
> Last Seen 2020-04-13 21:12:22 IST
> Local ID  39955636-b570-49ae-9286-ae92b49dc1c7
>
> Raw Audit Messages
> type=AVC msg=audit(1586792542.56:418): avc:  denied  { read } for
>  pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
>
>
> Hash: systemd-sleep,init_t,swapfile_t,file,read
>
> --
>
> The above is the message I got from the SELinux trouble shooter.
>
> This is the screenshot of the problem: https://imgur.com/a/1x55clI
>
> What can I do ?
>
> I don't know a whole lot about SELinux, do I have to add a label or
> something?
>
> Please help.
>
> Thanks.
> Regards,
> Sreyan Chakravarty
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: kickstart installation - DNF error in POSTIN scriplet of flatpak-selinux

[Sreyan Chakravarty]

Thank fully that did not cause any problems. I could fully install my
system.

On Mon, Apr 13, 2020 at 1:58 PM Samuel Sieb  wrote:

> On 4/12/20 11:59 PM, Sreyan Chakravarty wrote:
> > I was talking about these :
> >
> > dracut: No '/dev/log' or 'logger' included for syslog logging
> > dracut-install: ERROR: installing 'sr_mod'
> > dracut: FAILED:  /usr/lib/dracut/dracut-install -D
> > /var/tmp/dracut.YxAPo1/initramfs --kerneldir
> > /lib/modules/5.3.7-301.fc31.x86_64/ -m sr_mod sd_mod ide_cd cdrom =ata
> > sym53c8xx aic7xxx ehci_hcd uhci_hcd ohci_hcd usb_storage usbhid uas
> > firewire-sbp2 firewire-ohci sbp2 ohci1394 ieee1394 mmc_block sdhci
> > sdhci-pci pata_pcmcia mptsas virtio_blk virtio_pci virtio_scsi
> > virtio_net virtio_mmio virtio_balloon virtio-rng
> > dracut-install: ERROR: installing 'ext4'
> > dracut: FAILED:  /usr/lib/dracut/dracut-install -D
> > /var/tmp/dracut.YxAPo1/initramfs --kerneldir
> > /lib/modules/5.3.7-301.fc31.x86_64/ -m vfat msdos isofs ext4 xfs btrfs
> > squashfs
>
> We need a lot more context.  What are you doing when that happens?  What
> is the command?  Does the resulting initrd boot?
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

SELinux is blocking hibernate

[Sreyan Chakravarty]

I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems
that SELinux is blocking access to the swap file.

SELinux is preventing systemd-sleep from read access on the file
fedora.swap.

*  Plugin catchall (100. confidence) suggests
**

If you believe that systemd-sleep should be allowed read access on the
fedora.swap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
# semodule -X 300 -i my-systemdsleep.pp

Additional Information:
Source Contextsystem_u:system_r:init_t:s0
Target Contextunconfined_u:object_r:swapfile_t:s0
Target Objectsfedora.swap [ file ]
Sourcesystemd-sleep
Source Path   systemd-sleep
Port  
Host  localhost.HPNotebook
Source RPM Packages
Target RPM Packages
SELinux Policy RPMselinux-policy-3.14.4-50.fc31.noarch
Local Policy RPM  selinux-policy-targeted-3.14.4-50.fc31.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModeEnforcing
Host Name localhost.HPNotebook
Platform  Linux localhost.HPNotebook
5.5.15-200.fc31.x86_64
  #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
x86_64
Alert Count   1
First Seen2020-04-13 21:12:22 IST
Last Seen 2020-04-13 21:12:22 IST
Local ID  39955636-b570-49ae-9286-ae92b49dc1c7

Raw Audit Messages
type=AVC msg=audit(1586792542.56:418): avc:  denied  { read } for  pid=5603
comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0


Hash: systemd-sleep,init_t,swapfile_t,file,read

-- 

The above is the message I got from the SELinux trouble shooter.

This is the screenshot of the problem: https://imgur.com/a/1x55clI

What can I do ?

I don't know a whole lot about SELinux, do I have to add a label or
something?

Please help.

Thanks.
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Email notification sound -

[Bob Goodwin]

Something has changed in the last few days to cause the Thunderbird 
email notification sound to stop. Normally the preferences play button 
will test the tone but it now remains silent.


I this unique to my system? Any ideas?

This an up to date Fedora 31, with whatever Thunderbird was provided 
with the install, 68.6.0.


Bob

--
Bob Goodwin - Zuni, Virginia,
Fedora Linux-31 XFCE
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: kickstart installation - DNF error in POSTIN scriplet of flatpak-selinux

[Samuel Sieb]

On 4/12/20 11:59 PM, Sreyan Chakravarty wrote:

I was talking about these :

dracut: No '/dev/log' or 'logger' included for syslog logging
dracut-install: ERROR: installing 'sr_mod'
dracut: FAILED:  /usr/lib/dracut/dracut-install -D 
/var/tmp/dracut.YxAPo1/initramfs --kerneldir 
/lib/modules/5.3.7-301.fc31.x86_64/ -m sr_mod sd_mod ide_cd cdrom =ata 
sym53c8xx aic7xxx ehci_hcd uhci_hcd ohci_hcd usb_storage usbhid uas 
firewire-sbp2 firewire-ohci sbp2 ohci1394 ieee1394 mmc_block sdhci 
sdhci-pci pata_pcmcia mptsas virtio_blk virtio_pci virtio_scsi 
virtio_net virtio_mmio virtio_balloon virtio-rng

dracut-install: ERROR: installing 'ext4'
dracut: FAILED:  /usr/lib/dracut/dracut-install -D 
/var/tmp/dracut.YxAPo1/initramfs --kerneldir 
/lib/modules/5.3.7-301.fc31.x86_64/ -m vfat msdos isofs ext4 xfs btrfs 
squashfs


We need a lot more context.  What are you doing when that happens?  What 
is the command?  Does the resulting initrd boot?

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: kickstart installation - DNF error in POSTIN scriplet of flatpak-selinux

[Sreyan Chakravarty]

I was talking about these :

dracut: No '/dev/log' or 'logger' included for syslog logging
dracut-install: ERROR: installing 'sr_mod'
dracut: FAILED:  /usr/lib/dracut/dracut-install -D
/var/tmp/dracut.YxAPo1/initramfs --kerneldir
/lib/modules/5.3.7-301.fc31.x86_64/ -m sr_mod sd_mod ide_cd cdrom =ata
sym53c8xx aic7xxx ehci_hcd uhci_hcd ohci_hcd usb_storage usbhid uas
firewire-sbp2 firewire-ohci sbp2 ohci1394 ieee1394 mmc_block sdhci
sdhci-pci pata_pcmcia mptsas virtio_blk virtio_pci virtio_scsi virtio_net
virtio_mmio virtio_balloon virtio-rng
dracut-install: ERROR: installing 'ext4'
dracut: FAILED:  /usr/lib/dracut/dracut-install -D
/var/tmp/dracut.YxAPo1/initramfs --kerneldir
/lib/modules/5.3.7-301.fc31.x86_64/ -m vfat msdos isofs ext4 xfs btrfs
squashfs

On Mon, Apr 13, 2020 at 12:10 PM Samuel Sieb  wrote:

> On 4/12/20 10:43 PM, Sreyan Chakravarty wrote:
> > The dracut errors. Anyways let me try since those bugs occur even if I
> > am building the official Fedora Workstation Live CD from Kickstart. So
> > maybe they won't be a problem, optimistically speaking.
>
> I don't remember seeing an email about that to this list.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>


-- 
Regards,
Sreyan Chakravarty
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Re: kickstart installation - DNF error in POSTIN scriplet of flatpak-selinux

[Samuel Sieb]

On 4/12/20 10:43 PM, Sreyan Chakravarty wrote:
The dracut errors. Anyways let me try since those bugs occur even if I 
am building the official Fedora Workstation Live CD from Kickstart. So 
maybe they won't be a problem, optimistically speaking.


I don't remember seeing an email about that to this list.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org