subject:"\[Freeipa\-users\] RHEL 6.4 ipa\-client install on ipa member server"

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek

On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 On 02/23/2013 10:36 PM, Rob Crittenden wrote:
  Dale Macartney wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  Even folks
 
  I've verified this both in a kickstart and via manual install to verify
  any user error on my part.
 
  I have a clean installation of RHEL 6.4 for an IPA domain of example.com
 
  I also have several clients which are also clean installs of rhel 6.4
  and although I can see ipa users via getent and even acquire a tgt's
  successfully, I am unable to login with any ipa user on any ipa member
  server.
 
  I see the same results for any type of login attempt, e.g. gnome desktop
  or ssh
 
  My client installation is done by this command.
 
  ipa-client-install -U -p admin -w redhat123 --mkhomedir
 --enable-dns-updates
 
  IPA client version 3.0.0-25
  SSSD version 1.9.2-82
 
 
  Logs from client as as follows.
 
  == /var/log/secure ==
  Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
  authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=10.0.1.254 user=admin
  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
  message: Your password will expire in 89 day(s).

FTR, this is a known bug that will be fixed in an asynchronous errata
Very Soon Now.

  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
  authentication success; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=10.0.1.254 user=admin
 
  == /var/log/btmp ==
  s ssh:nottyadmin10.0.1.254@)Q
  ?
  == /var/log/secure ==
  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
  denied for user admin: 4 (System error)

What state is your SELinux in? Permissive/Enforcing/Disabled ?

  Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
  10.0.1.254 port 4 ssh2
  Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
  admin by PAM account configuration
 
  == /var/log/Xorg.0.log ==
  [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
  from local host ( uid=42 gid=42 pid=1958 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 284
  [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected
 
  == /var/log/messages ==
  Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
  stratum 5
  Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
  stratum 11
 
 
  interactive shell output as follows
 
  [mac@rhodey ~]$ ssh admin@10.0.1.102
  admin@10.0.1.102's password:
  Your password will expire in 89 day(s).
  Connection closed by 10.0.1.102
  [mac@rhodey ~]$
 
 
  Am I doing something rather trivially wrong or is there something fishy
  going on here?
 
  Thanks in advance.
 
  I'd check your HBAC configuration.
 
  rob
 
 That is actually the very first thing I did. As it is a 100% clean
 installation of IPA, plus the addition of one user and one IPA replica.
 
 all users are granted access to all hosts.
 
 [root@ds01 ~]# ipa hbacrule-find
 - ---
 1 HBAC rule matched
 - ---
   Rule name: allow_all
   User category: all
   Host category: all
   Source host category: all
   Service category: all
   Description: Allow all users to access any host from any host
   Enabled: TRUE
 - 
 Number of entries returned 1
 - 
 [root@ds01 ~]#
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.13 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH
 EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc
 bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5
 XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK
 lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT
 Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO
 CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS
 7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe
 pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI
 StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd
 N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh
 ruH0DYhFtmabbPzxv7uA
 =sdSi
 -END PGP SIGNATURE-
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 10:15 AM, Jakub Hrozek wrote:
 On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote:


 On 02/23/2013 10:36 PM, Rob Crittenden wrote:
  Dale Macartney wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  Even folks
 
  I've verified this both in a kickstart and via manual install to
verify
  any user error on my part.
 
  I have a clean installation of RHEL 6.4 for an IPA domain of
example.com
 
  I also have several clients which are also clean installs of rhel 6.4
  and although I can see ipa users via getent and even acquire a tgt's
  successfully, I am unable to login with any ipa user on any ipa
member
  server.
 
  I see the same results for any type of login attempt, e.g. gnome
desktop
  or ssh
 
  My client installation is done by this command.
 
  ipa-client-install -U -p admin -w redhat123 --mkhomedir
 --enable-dns-updates
 
  IPA client version 3.0.0-25
  SSSD version 1.9.2-82
 
 
  Logs from client as as follows.
 
  == /var/log/secure ==
  Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
  authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=10.0.1.254 user=admin
  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
User info
  message: Your password will expire in 89 day(s).

  FTR, this is a known bug that will be fixed in an asynchronous errata
  Very Soon Now.

  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
  authentication success; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=10.0.1.254 user=admin
 
  == /var/log/btmp ==
  s ssh:nottyadmin10.0.1.254@)Q
  ?
  == /var/log/secure ==
  Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account):
Access
  denied for user admin: 4 (System error)

  What state is your SELinux in? Permissive/Enforcing/Disabled ?
Another fail on my part. Works fine in permissive mode.

AVC denials listed below..

type=AVC msg=audit(1361788146.020:28315): avc:  denied  { read } for 
pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28315): avc:  denied  { open } for 
pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788146.020:28316): avc:  denied  { getattr } for 
pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { read } for 
pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28318): avc:  denied  { open } for 
pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788155.330:28319): avc:  denied  { getattr } for 
pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0
ino=392854 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { add_name }
for  pid=1380 comm=sssd_pam name=adminoTfIUQ
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { create } for 
pid=1380 comm=sssd_pam name=adminoTfIUQ
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { remove_name }
for  pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { rename } for 
pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1361788156.367:28322): avc:  denied  { unlink } for 
pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file


  Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for
admin from
  10.0.1.254 port 4 ssh2
  Feb 23 22:10:08

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek

On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
   What state is your SELinux in? Permissive/Enforcing/Disabled ?
 Another fail on my part. Works fine in permissive mode.
 

No, the SSSD should be working out of the box with SELinux Enforcing.

 AVC denials listed below..
 
 type=AVC msg=audit(1361788146.020:28315): avc:  denied  { read } for 
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28315): avc:  denied  { open } for 
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28316): avc:  denied  { getattr } for 
 pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023

^ This is SElinux denying access to the fast in-memory cache.

 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc:  denied  { read } for 
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc:  denied  { open } for 
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28319): avc:  denied  { getattr } for 
 pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0
 ino=392854 scontext=system_u:system_r:sssd_t:s0

Interesting, I'm not aware of any code in the krb5 child process that
would do anything selinux-related. I wonder if libkrb5 might be the
culprit..rpm says it *is* linked against libselinux as well.

 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
 pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc:  denied  { add_name }
 for  pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc:  denied  { create } for 
 pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc:  denied  { write } for 
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc:  denied  { remove_name }
 for  pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28322): avc:  denied  { rename } for 
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc:  denied  { unlink } for 
 pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

This is SSSD trying to write the user login mapping. 

What version is your selinux-policy? 

Was your system properly labeled?

Does restorecon -Rvv /etc/selinux help?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
 On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
 What state is your SELinux in? Permissive/Enforcing/Disabled ?
 Another fail on my part. Works fine in permissive mode.


 No, the SSSD should be working out of the box with SELinux Enforcing.

 AVC denials listed below..

 type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
 pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023

 ^ This is SElinux denying access to the fast in-memory cache.

 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
 pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0
 ino=392854 scontext=system_u:system_r:sssd_t:s0

 Interesting, I'm not aware of any code in the krb5 child process that
 would do anything selinux-related. I wonder if libkrb5 might be the
 culprit..rpm says it *is* linked against libselinux as well.

 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
 pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
 for pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
 for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
 pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

 This is SSSD trying to write the user login mapping.

 What version is your selinux-policy?

 Was your system properly labeled?

 Does restorecon -Rvv /etc/selinux help?
Interesting, after using restorecon, yes it now allows a successful
login. I am curious how the contexts would have become incorrectly set
as the machine was provisioned with a rather trivial kickstart.

output of restorecon is below.

[root@workstation01 ~]# restorecon -Rvv /etc/selinux/
restorecon reset /etc/selinux/targeted/logins context
system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
restorecon reset /etc/selinux/targeted/logins/admin context
system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
[root@workstation01 ~]#

selinux policy version 3.7.19-195.el6_4.1




 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRK0WgAAoJEAJsWS61tB+qnnYQAJJgXcVUUU2DdOUFR34GeU97
NgAoJfbPdL8wtXWT+qqnwdGWRRFO4fgfZF6DBh21suW0f4PrNiv8PPmq/jSXqbF6
K+PwT/txjU4nvm+9j2uvJGvgysisVXwVXkUHGlyljG9FyrilaLi0rnk2cuZ0LdC2
Zwt0x9u1f+yXU4l4IGWJNxW26C+wr5oAZvpCbzGO19ODCctBFvGTox0yFVCE1tB2

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek

On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
  On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
  What state is your SELinux in? Permissive/Enforcing/Disabled ?
  Another fail on my part. Works fine in permissive mode.
 
 
  No, the SSSD should be working out of the box with SELinux Enforcing.
 
  AVC denials listed below..
 
  type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
  pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
  tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
  type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
  pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
  tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
  type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
  pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246
  scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 
  ^ This is SElinux denying access to the fast in-memory cache.
 
  tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
  type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
  pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
  pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
  pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0
  ino=392854 scontext=system_u:system_r:sssd_t:s0
 
  Interesting, I'm not aware of any code in the krb5 child process that
  would do anything selinux-related. I wonder if libkrb5 might be the
  culprit..rpm says it *is* linked against libselinux as well.
 
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
  pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
  type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
  for pid=1380 comm=sssd_pam name=adminoTfIUQ
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
  type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
  pid=1380 comm=sssd_pam name=adminoTfIUQ
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
  pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
  for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
  type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
  pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
  type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
  pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951
  scontext=system_u:system_r:sssd_t:s0
  tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 
  This is SSSD trying to write the user login mapping.
 
  What version is your selinux-policy?
 
  Was your system properly labeled?
 
  Does restorecon -Rvv /etc/selinux help?
 Interesting, after using restorecon, yes it now allows a successful
 login. I am curious how the contexts would have become incorrectly set
 as the machine was provisioned with a rather trivial kickstart.
 
 output of restorecon is below.
 
 [root@workstation01 ~]# restorecon -Rvv /etc/selinux/
 restorecon reset /etc/selinux/targeted/logins context
 system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
 restorecon reset /etc/selinux/targeted/logins/admin context
 system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
 [root@workstation01 ~]#
 
 selinux policy version 3.7.19-195.el6_4.1

I'm not sure, was the system installed with that version or upgraded to
it?

I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of
the memory cache denials. That should also allow faster initgroups (and
by extension logins) operation.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/25/2013 11:15 AM, Jakub Hrozek wrote:
 On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
 On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
 What state is your SELinux in? Permissive/Enforcing/Disabled ?
 Another fail on my part. Works fine in permissive mode.


 No, the SSSD should be working out of the box with SELinux Enforcing.

 AVC denials listed below..

 type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for
 pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for
 pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023

 ^ This is SElinux denying access to the fast in-memory cache.

 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for
 pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for
 pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0
 ino=392854 scontext=system_u:system_r:sssd_t:s0

 Interesting, I'm not aware of any code in the krb5 child process that
 would do anything selinux-related. I wonder if libkrb5 might be the
 culprit..rpm says it *is* linked against libselinux as well.

 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
 pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
 for pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name }
 for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
 type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for
 pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
 type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for
 pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951
 scontext=system_u:system_r:sssd_t:s0
 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file

 This is SSSD trying to write the user login mapping.

 What version is your selinux-policy?

 Was your system properly labeled?

 Does restorecon -Rvv /etc/selinux help?
 Interesting, after using restorecon, yes it now allows a successful
 login. I am curious how the contexts would have become incorrectly set
 as the machine was provisioned with a rather trivial kickstart.

 output of restorecon is below.

 [root@workstation01 ~]# restorecon -Rvv /etc/selinux/
 restorecon reset /etc/selinux/targeted/logins context

system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
 restorecon reset /etc/selinux/targeted/logins/admin context

system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0
 [root@workstation01 ~]#

 selinux policy version 3.7.19-195.el6_4.1

 I'm not sure, was the system installed with that version or upgraded to
 it?
All repositories are available during install, so no need for upgrade
post install. IPA client install runs as part of %post.


 I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of
 the memory cache denials. That should also allow faster initgroups (and
 by extension logins) operation.
Good to know, presumably this will be

[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-23 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Even folks

I've verified this both in a kickstart and via manual install to verify
any user error on my part.

I have a clean installation of RHEL 6.4 for an IPA domain of example.com

I also have several clients which are also clean installs of rhel 6.4
and although I can see ipa users via getent and even acquire a tgt's
successfully, I am unable to login with any ipa user on any ipa member
server.

I see the same results for any type of login attempt, e.g. gnome desktop
or ssh

My client installation is done by this command.

ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates

IPA client version 3.0.0-25
SSSD version 1.9.2-82


Logs from client as as follows.

== /var/log/secure ==
Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.1.254  user=admin
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
message: Your password will expire in 89 day(s).
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.0.1.254 user=admin

== /var/log/btmp ==
sssh:nottyadmin10.0.1.254@)Q
?
== /var/log/secure ==
Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
denied for user admin: 4 (System error)
Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
10.0.1.254 port 4 ssh2
Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
admin by PAM account configuration

== /var/log/Xorg.0.log ==
[   604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
from local host ( uid=42 gid=42 pid=1958 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 284
[   604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected

== /var/log/messages ==
Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
stratum 5
Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
stratum 11


interactive shell output as follows

[mac@rhodey ~]$ ssh admin@10.0.1.102
admin@10.0.1.102's password:
Your password will expire in 89 day(s).
Connection closed by 10.0.1.102
[mac@rhodey ~]$


Am I doing something rather trivially wrong or is there something fishy
going on here?

Thanks in advance.

Dale


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKUIGAAoJEAJsWS61tB+q4p8P/jtKbSPIRlBiXolg/NyEv0jz
tbOKb3OWITv5DzZ73+SsoaAnaRfvbZh0AvwmkOfT8BV3x87ogFrxPblNME23TT07
7kiwg2g+T2b/2Tq7zE3kgdNNrRQo02fwAMdtobmPa/jDzftCOe/01t5psAK+Jabd
DcGnCFss4tif1IA5BRVa8tw8rn5XJ4J7ef3owF+LdEsKqpzdVV5xsq3W45EPJHQy
pjEgsJemwrxosLg6NoJuKsSjNGrGCikEGV9E83fBQiFhp5muaU3yZcoKsttbnGXa
KHZw+MdJWU7xHsFsP+kshWFjpyxt1mgtSI9JHurGdYvIPta3UJ15D+KetU78R24+
csL8zc+/qe+6qwzed5xgWYEjtrYnwNP6SnUgpupkDkl5GrSIzPCLz9elcye7IzPN
mPu73wKJvwet88YpZ2+dVcYcDh68Mm2c5YPlIR31VsiiHkNcwniCT+Fed16RjoED
uPxwRjNFcOWFYK7MWuFxjtNpx+8UhOrMYRbRYkYk1M/6Zxg1TvjTe92p17Hsb0dA
NlJV0VvZu9lApR8hzhZ/Xke4NoyZrGR+y3NVWAwObGEmsxSX7Gg6VwNZvMgVMekJ
blHbkp2LwU9KVLZRJpPRxn98UZclFdlQl/fPOKWKwVKiG6y0xIhUpPlDrhs0XYBQ
NqNeBfEHUH0tSSpbhf1K
=ZsnW
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-23 Thread Dale Macartney


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 02/23/2013 10:36 PM, Rob Crittenden wrote:
 Dale Macartney wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Even folks

 I've verified this both in a kickstart and via manual install to verify
 any user error on my part.

 I have a clean installation of RHEL 6.4 for an IPA domain of example.com

 I also have several clients which are also clean installs of rhel 6.4
 and although I can see ipa users via getent and even acquire a tgt's
 successfully, I am unable to login with any ipa user on any ipa member
 server.

 I see the same results for any type of login attempt, e.g. gnome desktop
 or ssh

 My client installation is done by this command.

 ipa-client-install -U -p admin -w redhat123 --mkhomedir
--enable-dns-updates

 IPA client version 3.0.0-25
 SSSD version 1.9.2-82


 Logs from client as as follows.

 == /var/log/secure ==
 Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth):
 authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
 rhost=10.0.1.254 user=admin
 Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info
 message: Your password will expire in 89 day(s).
 Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth):
 authentication success; logname= uid=0 euid=0 tty=ssh ruser=
 rhost=10.0.1.254 user=admin

 == /var/log/btmp ==
 s ssh:nottyadmin10.0.1.254@)Q
 ?
 == /var/log/secure ==
 Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access
 denied for user admin: 4 (System error)
 Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from
 10.0.1.254 port 4 ssh2
 Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user
 admin by PAM account configuration

 == /var/log/Xorg.0.log ==
 [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected
 from local host ( uid=42 gid=42 pid=1958 )
 Auth name: MIT-MAGIC-COOKIE-1 ID: 284
 [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected

 == /var/log/messages ==
 Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0),
 stratum 5
 Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12,
 stratum 11


 interactive shell output as follows

 [mac@rhodey ~]$ ssh admin@10.0.1.102
 admin@10.0.1.102's password:
 Your password will expire in 89 day(s).
 Connection closed by 10.0.1.102
 [mac@rhodey ~]$


 Am I doing something rather trivially wrong or is there something fishy
 going on here?

 Thanks in advance.

 I'd check your HBAC configuration.

 rob

That is actually the very first thing I did. As it is a 100% clean
installation of IPA, plus the addition of one user and one IPA replica.

all users are granted access to all hosts.

[root@ds01 ~]# ipa hbacrule-find
- ---
1 HBAC rule matched
- ---
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE
- 
Number of entries returned 1
- 
[root@ds01 ~]#



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH
EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc
bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5
XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK
lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT
Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO
CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS
7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe
pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI
StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd
N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh
ruH0DYhFtmabbPzxv7uA
=sdSi
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

8 matches

Site Navigation

Mail list logo

Footer information