Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-04 Thread Lukas Slebodnik 
On (04/04/17 09:32), Lukas Slebodnik wrote:
>On (04/04/17 10:13), Lachlan Musicman wrote:
>>On 3 April 2017 at 19:11, Jakub Hrozek  wrote:
>>
>>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
>>> >
>>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
>>> in
>>> > their names, libsemanage fails to update:
>>> >
>>> > eg from recent monthly upgrade cycle:
>>> >
>>> > Updating   :
>>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
>>> > 3/14
>>> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
>>> > (/etc/selinux/targeted/tmp/seusers.local: 5):
>>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
>>> or
>>> > directory).
>>> > libsemanage.seuser_parse: could not parse seuser record (No such file or
>>> > directory).
>>> > libsemanage.dbase_file_cache: could not cache file database (No such file
>>> > or directory).
>>> > libsemanage.semanage_base_merge_components: could not merge local
>>> > modifications into policy (No such file or directory).
>>> >
>>>
>>> Hi,
>>> according to my quick testing this is solved with this PR:
>>> https://github.com/SSSD/sssd/pull/189
>This patch will not help with spaces in name.
>
>it need to be fixed in selinux-policy or libsemanage.
>

It looks like it happen with each upgrade of selinux-policy.
I assume it might be some missing quoting in rpm bash scriptlet.

It should not be difficult to reproduce and file a bug.
Feel free to add to CC my mail.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-04 Thread Lukas Slebodnik 
On (04/04/17 10:13), Lachlan Musicman wrote:
>On 3 April 2017 at 19:11, Jakub Hrozek  wrote:
>
>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
>> >
>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
>> in
>> > their names, libsemanage fails to update:
>> >
>> > eg from recent monthly upgrade cycle:
>> >
>> > Updating   :
>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
>> > 3/14
>> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
>> > (/etc/selinux/targeted/tmp/seusers.local: 5):
>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
>> or
>> > directory).
>> > libsemanage.seuser_parse: could not parse seuser record (No such file or
>> > directory).
>> > libsemanage.dbase_file_cache: could not cache file database (No such file
>> > or directory).
>> > libsemanage.semanage_base_merge_components: could not merge local
>> > modifications into policy (No such file or directory).
>> >
>>
>> Hi,
>> according to my quick testing this is solved with this PR:
>> https://github.com/SSSD/sssd/pull/189
This patch will not help with spaces in name.

it need to be fixed in selinux-policy or libsemanage.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-03 Thread Lachlan Musicman 
On 3 April 2017 at 19:11, Jakub Hrozek  wrote:

> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
> >
> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
> in
> > their names, libsemanage fails to update:
> >
> > eg from recent monthly upgrade cycle:
> >
> > Updating   :
> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
> > 3/14
> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
> > (/etc/selinux/targeted/tmp/seusers.local: 5):
> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
> or
> > directory).
> > libsemanage.seuser_parse: could not parse seuser record (No such file or
> > directory).
> > libsemanage.dbase_file_cache: could not cache file database (No such file
> > or directory).
> > libsemanage.semanage_base_merge_components: could not merge local
> > modifications into policy (No such file or directory).
> >
>
> Hi,
> according to my quick testing this is solved with this PR:
> https://github.com/SSSD/sssd/pull/189
> (Please note that we haven't ran all regression tests on this PR so I
> can't in fact tell if it's correct or not. The code does look OK,
> though).
>
> I was also able to work around the issue by setting:
> override_space = _
> in sssd.conf
>


Thanks Jakub. The problem with the override_space = _ is that we also have
users with _ in their names. I understand that this could be any character,
but we decided that - given what we know about our AD - any character could
also be in a user name.

Looking forward to seeing the patch in upcoming releases.

Cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-03 Thread Jakub Hrozek 
On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
> Hola,
> 
> I've reported this issue before (with a different symptom iirc), but
> thought I should mention again, as I have no idea how to competently report
> it to selinux.
> 
> With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces in
> their names, libsemanage fails to update:
> 
> eg from recent monthly upgrade cycle:
> 
> Updating   :
> selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
> 3/14
> libsemanage.parse_assert_ch: expected character ':', but found 'f'
> (/etc/selinux/targeted/tmp/seusers.local: 5):
> lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file or
> directory).
> libsemanage.seuser_parse: could not parse seuser record (No such file or
> directory).
> libsemanage.dbase_file_cache: could not cache file database (No such file
> or directory).
> libsemanage.semanage_base_merge_components: could not merge local
> modifications into policy (No such file or directory).
> 

Hi,
according to my quick testing this is solved with this PR:
https://github.com/SSSD/sssd/pull/189
(Please note that we haven't ran all regression tests on this PR so I
can't in fact tell if it's correct or not. The code does look OK,
though).

I was also able to work around the issue by setting:
override_space = _
in sssd.conf

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] libsemanage updates fail due to AD user with space

2017-04-02 Thread Lachlan Musicman 
Hola,

I've reported this issue before (with a different symptom iirc), but
thought I should mention again, as I have no idea how to competently report
it to selinux.

With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces in
their names, libsemanage fails to update:

eg from recent monthly upgrade cycle:

Updating   :
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
3/14
libsemanage.parse_assert_ch: expected character ':', but found 'f'
(/etc/selinux/targeted/tmp/seusers.local: 5):
lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file or
directory).
libsemanage.seuser_parse: could not parse seuser record (No such file or
directory).
libsemanage.dbase_file_cache: could not cache file database (No such file
or directory).
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy (No such file or directory).


cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project