Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 10:36 PM, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even folks I've verified this both in a kickstart and via manual install to verify any user error on my part. I have a clean installation of RHEL 6.4 for an IPA domain of example.com I also have several clients which are also clean installs of rhel 6.4 and although I can see ipa users via getent and even acquire a tgt's successfully, I am unable to login with any ipa user on any ipa member server. I see the same results for any type of login attempt, e.g. gnome desktop or ssh My client installation is done by this command. ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates IPA client version 3.0.0-25 SSSD version 1.9.2-82 Logs from client as as follows. == /var/log/secure == Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info message: Your password will expire in 89 day(s). FTR, this is a known bug that will be fixed in an asynchronous errata Very Soon Now. Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin == /var/log/btmp == s ssh:nottyadmin10.0.1.254@)Q ? == /var/log/secure == Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access denied for user admin: 4 (System error) What state is your SELinux in? Permissive/Enforcing/Disabled ? Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from 10.0.1.254 port 4 ssh2 Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user admin by PAM account configuration == /var/log/Xorg.0.log == [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected from local host ( uid=42 gid=42 pid=1958 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 284 [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected == /var/log/messages == Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0), stratum 5 Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12, stratum 11 interactive shell output as follows [mac@rhodey ~]$ ssh admin@10.0.1.102 admin@10.0.1.102's password: Your password will expire in 89 day(s). Connection closed by 10.0.1.102 [mac@rhodey ~]$ Am I doing something rather trivially wrong or is there something fishy going on here? Thanks in advance. I'd check your HBAC configuration. rob That is actually the very first thing I did. As it is a 100% clean installation of IPA, plus the addition of one user and one IPA replica. all users are granted access to all hosts. [root@ds01 ~]# ipa hbacrule-find - --- 1 HBAC rule matched - --- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE - Number of entries returned 1 - [root@ds01 ~]# -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5 XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS 7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh ruH0DYhFtmabbPzxv7uA =sdSi -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 10:15 AM, Jakub Hrozek wrote: On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote: On 02/23/2013 10:36 PM, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even folks I've verified this both in a kickstart and via manual install to verify any user error on my part. I have a clean installation of RHEL 6.4 for an IPA domain of example.com I also have several clients which are also clean installs of rhel 6.4 and although I can see ipa users via getent and even acquire a tgt's successfully, I am unable to login with any ipa user on any ipa member server. I see the same results for any type of login attempt, e.g. gnome desktop or ssh My client installation is done by this command. ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates IPA client version 3.0.0-25 SSSD version 1.9.2-82 Logs from client as as follows. == /var/log/secure == Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info message: Your password will expire in 89 day(s). FTR, this is a known bug that will be fixed in an asynchronous errata Very Soon Now. Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin == /var/log/btmp == s ssh:nottyadmin10.0.1.254@)Q ? == /var/log/secure == Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access denied for user admin: 4 (System error) What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. AVC denials listed below.. type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from 10.0.1.254 port 4 ssh2 Feb 23 22:10:08
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. No, the SSSD should be working out of the box with SELinux Enforcing. AVC denials listed below.. type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 ^ This is SElinux denying access to the fast in-memory cache. tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 Interesting, I'm not aware of any code in the krb5 child process that would do anything selinux-related. I wonder if libkrb5 might be the culprit..rpm says it *is* linked against libselinux as well. tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file This is SSSD trying to write the user login mapping. What version is your selinux-policy? Was your system properly labeled? Does restorecon -Rvv /etc/selinux help? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 10:58 AM, Jakub Hrozek wrote: On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. No, the SSSD should be working out of the box with SELinux Enforcing. AVC denials listed below.. type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 ^ This is SElinux denying access to the fast in-memory cache. tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 Interesting, I'm not aware of any code in the krb5 child process that would do anything selinux-related. I wonder if libkrb5 might be the culprit..rpm says it *is* linked against libselinux as well. tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file This is SSSD trying to write the user login mapping. What version is your selinux-policy? Was your system properly labeled? Does restorecon -Rvv /etc/selinux help? Interesting, after using restorecon, yes it now allows a successful login. I am curious how the contexts would have become incorrectly set as the machine was provisioned with a rather trivial kickstart. output of restorecon is below. [root@workstation01 ~]# restorecon -Rvv /etc/selinux/ restorecon reset /etc/selinux/targeted/logins context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 restorecon reset /etc/selinux/targeted/logins/admin context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 [root@workstation01 ~]# selinux policy version 3.7.19-195.el6_4.1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRK0WgAAoJEAJsWS61tB+qnnYQAJJgXcVUUU2DdOUFR34GeU97 NgAoJfbPdL8wtXWT+qqnwdGWRRFO4fgfZF6DBh21suW0f4PrNiv8PPmq/jSXqbF6 K+PwT/txjU4nvm+9j2uvJGvgysisVXwVXkUHGlyljG9FyrilaLi0rnk2cuZ0LdC2 Zwt0x9u1f+yXU4l4IGWJNxW26C+wr5oAZvpCbzGO19ODCctBFvGTox0yFVCE1tB2
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 10:58 AM, Jakub Hrozek wrote: On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. No, the SSSD should be working out of the box with SELinux Enforcing. AVC denials listed below.. type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 ^ This is SElinux denying access to the fast in-memory cache. tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 Interesting, I'm not aware of any code in the krb5 child process that would do anything selinux-related. I wonder if libkrb5 might be the culprit..rpm says it *is* linked against libselinux as well. tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file This is SSSD trying to write the user login mapping. What version is your selinux-policy? Was your system properly labeled? Does restorecon -Rvv /etc/selinux help? Interesting, after using restorecon, yes it now allows a successful login. I am curious how the contexts would have become incorrectly set as the machine was provisioned with a rather trivial kickstart. output of restorecon is below. [root@workstation01 ~]# restorecon -Rvv /etc/selinux/ restorecon reset /etc/selinux/targeted/logins context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 restorecon reset /etc/selinux/targeted/logins/admin context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 [root@workstation01 ~]# selinux policy version 3.7.19-195.el6_4.1 I'm not sure, was the system installed with that version or upgraded to it? I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of the memory cache denials. That should also allow faster initgroups (and by extension logins) operation. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 11:15 AM, Jakub Hrozek wrote: On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 10:58 AM, Jakub Hrozek wrote: On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. No, the SSSD should be working out of the box with SELinux Enforcing. AVC denials listed below.. type=AVC msg=audit(1361788146.020:28315): avc: denied { read } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28315): avc: denied { open } for pid=2271 comm=sshd name=passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr } for pid=2271 comm=sshd path=/var/lib/sss/mc/passwd dev=dm-0 ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 ^ This is SElinux denying access to the fast in-memory cache. tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { read } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28318): avc: denied { open } for pid=2275 comm=krb5_child name=config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr } for pid=2275 comm=krb5_child path=/etc/selinux/config dev=dm-0 ino=392854 scontext=system_u:system_r:sssd_t:s0 Interesting, I'm not aware of any code in the krb5 child process that would do anything selinux-related. I wonder if libkrb5 might be the culprit..rpm says it *is* linked against libselinux as well. tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=logins dev=dm-0 ino=392943 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28321): avc: denied { create } for pid=1380 comm=sssd_pam name=adminoTfIUQ scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28321): avc: denied { write } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { remove_name } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1361788156.367:28322): avc: denied { rename } for pid=1380 comm=sssd_pam name=adminoTfIUQ dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink } for pid=1380 comm=sssd_pam name=admin dev=dm-0 ino=392951 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file This is SSSD trying to write the user login mapping. What version is your selinux-policy? Was your system properly labeled? Does restorecon -Rvv /etc/selinux help? Interesting, after using restorecon, yes it now allows a successful login. I am curious how the contexts would have become incorrectly set as the machine was provisioned with a rather trivial kickstart. output of restorecon is below. [root@workstation01 ~]# restorecon -Rvv /etc/selinux/ restorecon reset /etc/selinux/targeted/logins context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 restorecon reset /etc/selinux/targeted/logins/admin context system_u:object_r:selinux_config_t:s0-system_u:object_r:selinux_login_config_t:s0 [root@workstation01 ~]# selinux policy version 3.7.19-195.el6_4.1 I'm not sure, was the system installed with that version or upgraded to it? All repositories are available during install, so no need for upgrade post install. IPA client install runs as part of %post. I would also suggest to restorecon /var/lib/sss/mc/passwd to get rid of the memory cache denials. That should also allow faster initgroups (and by extension logins) operation. Good to know, presumably this will be
[Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even folks I've verified this both in a kickstart and via manual install to verify any user error on my part. I have a clean installation of RHEL 6.4 for an IPA domain of example.com I also have several clients which are also clean installs of rhel 6.4 and although I can see ipa users via getent and even acquire a tgt's successfully, I am unable to login with any ipa user on any ipa member server. I see the same results for any type of login attempt, e.g. gnome desktop or ssh My client installation is done by this command. ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates IPA client version 3.0.0-25 SSSD version 1.9.2-82 Logs from client as as follows. == /var/log/secure == Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info message: Your password will expire in 89 day(s). Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin == /var/log/btmp == sssh:nottyadmin10.0.1.254@)Q ? == /var/log/secure == Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access denied for user admin: 4 (System error) Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from 10.0.1.254 port 4 ssh2 Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user admin by PAM account configuration == /var/log/Xorg.0.log == [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected from local host ( uid=42 gid=42 pid=1958 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 284 [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected == /var/log/messages == Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0), stratum 5 Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12, stratum 11 interactive shell output as follows [mac@rhodey ~]$ ssh admin@10.0.1.102 admin@10.0.1.102's password: Your password will expire in 89 day(s). Connection closed by 10.0.1.102 [mac@rhodey ~]$ Am I doing something rather trivially wrong or is there something fishy going on here? Thanks in advance. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRKUIGAAoJEAJsWS61tB+q4p8P/jtKbSPIRlBiXolg/NyEv0jz tbOKb3OWITv5DzZ73+SsoaAnaRfvbZh0AvwmkOfT8BV3x87ogFrxPblNME23TT07 7kiwg2g+T2b/2Tq7zE3kgdNNrRQo02fwAMdtobmPa/jDzftCOe/01t5psAK+Jabd DcGnCFss4tif1IA5BRVa8tw8rn5XJ4J7ef3owF+LdEsKqpzdVV5xsq3W45EPJHQy pjEgsJemwrxosLg6NoJuKsSjNGrGCikEGV9E83fBQiFhp5muaU3yZcoKsttbnGXa KHZw+MdJWU7xHsFsP+kshWFjpyxt1mgtSI9JHurGdYvIPta3UJ15D+KetU78R24+ csL8zc+/qe+6qwzed5xgWYEjtrYnwNP6SnUgpupkDkl5GrSIzPCLz9elcye7IzPN mPu73wKJvwet88YpZ2+dVcYcDh68Mm2c5YPlIR31VsiiHkNcwniCT+Fed16RjoED uPxwRjNFcOWFYK7MWuFxjtNpx+8UhOrMYRbRYkYk1M/6Zxg1TvjTe92p17Hsb0dA NlJV0VvZu9lApR8hzhZ/Xke4NoyZrGR+y3NVWAwObGEmsxSX7Gg6VwNZvMgVMekJ blHbkp2LwU9KVLZRJpPRxn98UZclFdlQl/fPOKWKwVKiG6y0xIhUpPlDrhs0XYBQ NqNeBfEHUH0tSSpbhf1K =ZsnW -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 10:36 PM, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even folks I've verified this both in a kickstart and via manual install to verify any user error on my part. I have a clean installation of RHEL 6.4 for an IPA domain of example.com I also have several clients which are also clean installs of rhel 6.4 and although I can see ipa users via getent and even acquire a tgt's successfully, I am unable to login with any ipa user on any ipa member server. I see the same results for any type of login attempt, e.g. gnome desktop or ssh My client installation is done by this command. ipa-client-install -U -p admin -w redhat123 --mkhomedir --enable-dns-updates IPA client version 3.0.0-25 SSSD version 1.9.2-82 Logs from client as as follows. == /var/log/secure == Feb 23 22:10:07 workstation02 sshd[2419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): User info message: Your password will expire in 89 day(s). Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.254 user=admin == /var/log/btmp == s ssh:nottyadmin10.0.1.254@)Q ? == /var/log/secure == Feb 23 22:10:08 workstation02 sshd[2419]: pam_sss(sshd:account): Access denied for user admin: 4 (System error) Feb 23 22:10:08 workstation02 sshd[2419]: Failed password for admin from 10.0.1.254 port 4 ssh2 Feb 23 22:10:08 workstation02 sshd[2421]: fatal: Access denied for user admin by PAM account configuration == /var/log/Xorg.0.log == [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 connected from local host ( uid=42 gid=42 pid=1958 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 284 [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013: 1908: client 17 disconnected == /var/log/messages == Feb 23 22:12:45 workstation02 ntpd[2359]: synchronized to LOCAL(0), stratum 5 Feb 23 22:13:48 workstation02 ntpd[2359]: synchronized to 10.0.1.12, stratum 11 interactive shell output as follows [mac@rhodey ~]$ ssh admin@10.0.1.102 admin@10.0.1.102's password: Your password will expire in 89 day(s). Connection closed by 10.0.1.102 [mac@rhodey ~]$ Am I doing something rather trivially wrong or is there something fishy going on here? Thanks in advance. I'd check your HBAC configuration. rob That is actually the very first thing I did. As it is a 100% clean installation of IPA, plus the addition of one user and one IPA replica. all users are granted access to all hosts. [root@ds01 ~]# ipa hbacrule-find - --- 1 HBAC rule matched - --- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE - Number of entries returned 1 - [root@ds01 ~]# -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRKUVAAAoJEAJsWS61tB+qmMwQAJgO3zJsbQkKqhgdj6qjfvbH EJHQOCEA55Mf2FgY4cUjeOj2oulny3HLxFQJql6OGYOk73zx48JR0VZdalyXp4Jc bUKkog+5jnamcEpm5qcRfvpLrITayamqMTgPzvOdrCWnVYSNTxjA07y7Sh/ZOpK5 XSsYTaMBKFLsE20CAE/a/PPJpL/43fP59+nK0yGgClwA5V3FIMBLZo7WKOGFsVJK lK+Couo3FPwiThp3klHudokQ4w24MdDc9aNKz4ZatcnqHK9nXeBNIya8FdYAtMqT Us6Lzkq0YOk7IKFU5qgqUtkXuCmRfRLZDZYngpug4S97S0wmG7eo191VPliKsCOO CuWDaSDtUMbD5li7yzUEnhwUOI+9tLSD98rTO7oqGADQQqvmgz78/A9uQAVfRSIS 7PpmqUsl2pdC1XZ7Vy0K6vrqc7ojQkwwlFVmvY+TMBs2ukKrDz38bnRzfevxpZNe pm77dn8iF2NGqGpPqbrRvXwenIqi35j/6adBhGtDkAkdSKFXyZbDXRms+ro3oxXI StrYPHy4td02Fe4MyFrc3s7uIJvYuZGB+ULRKDAptnZetKhaP58VoapQJYrKrxdd N5hqf4EMwQ9b++Y5Bf9fzlA4osIDgf3uS+8/orL0KuXBq0vGYMqyTDE9leRMqamh ruH0DYhFtmabbPzxv7uA =sdSi -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users