Re: [Freeipa-users] stickybits and freeipa
Hi, I found a workaround for this problem. I installed nscd and now it works, i will file a bug-report since the application doesnt perform the get user id correct. // Richard 2015-06-16 15:01 skrev Simo Sorce: On Tue, 2015-06-16 at 14:50 +0200, richard wrote: Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Hi Richard, this looks like a bug in the application you are using, as a failure to lookup a user (if that is the case), should never end up with a segfault. I would contact that application developer and file a bug with them. Simo. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const , int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const , int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const , PSTRING const ) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const , PSTRING const ) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const , PSTRING const , int, JSTRING const ) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] stickybits and freeipa
Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const , int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const , int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const , PSTRING const ) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const , PSTRING const ) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const , PSTRING const , int, JSTRING const ) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] stickybits and freeipa
On Tue, 2015-06-16 at 14:50 +0200, richard wrote: Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Hi Richard, this looks like a bug in the application you are using, as a failure to lookup a user (if that is the case), should never end up with a segfault. I would contact that application developer and file a bug with them. Simo. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const , int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const , int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const , PSTRING const ) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const , PSTRING const ) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const , PSTRING const , int, JSTRING const ) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] stickybits and freeipa
On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
