Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
On 18 July 2016 at 18:26, Jakub Hrozek wrote: > On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote: > > Ok, I've just spoken with my colleague that has been involved in the IPA > > roll out, and he said he thought that override_space wasn't compatible > with > > ID overrides? > > I haven't tested that to be honest. But just using my knowledge of the > code as a basis, I would say the two should be compatible, especially > with 1.14.0 where we decoupled the output from how we store users. But > again, I haven't tested any of this. > > > > > Either way, since we have a working system we are reticent to make too > many > > changes - soon we will have a test system in place and I will be able to > > check it then? > > selinux_provider=none should be an easy workaround if you don't use the > SELinux labels. I still have an item on my todo list to test this > locally, I think I will get to that this week. > For what it's worth, we implemented the override_space=_ option. This has failed, of course, because we had a user with an _ in their username, and sssd went looking for test user instead of test_user, which caused all kinds of issues. We have gone back to selinux_provider=none L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote: > Ok, I've just spoken with my colleague that has been involved in the IPA > roll out, and he said he thought that override_space wasn't compatible with > ID overrides? I haven't tested that to be honest. But just using my knowledge of the code as a basis, I would say the two should be compatible, especially with 1.14.0 where we decoupled the output from how we store users. But again, I haven't tested any of this. > > Either way, since we have a working system we are reticent to make too many > changes - soon we will have a test system in place and I will be able to > check it then? selinux_provider=none should be an easy workaround if you don't use the SELinux labels. I still have an item on my todo list to test this locally, I think I will get to that this week. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
Ok, I've just spoken with my colleague that has been involved in the IPA roll out, and he said he thought that override_space wasn't compatible with ID overrides? Either way, since we have a working system we are reticent to make too many changes - soon we will have a test system in place and I will be able to check it then? Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 20:17, Lachlan Musicman wrote: > Wont be able to check until Monday morning (Australia's weekend has > started) but can check, yes. > > And the reason I reported to you is because you will have more weight with > selinux bug tickets than I would. > > cheers > L. > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 15 July 2016 at 18:05, Jakub Hrozek wrote: > >> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: >> > On (15/07/16 12:56), Lachlan Musicman wrote: >> > >This line: >> > > >> > >We have SELinux disabled on all of our servers, but we hadn't disabled >> this >> > >check in sssd.conf. So we enabled it in sssd.conf and everything worked >> > >fine. >> > > >> > >Should read that we *disabled* selinux. >> > > >> > >selinux_provider = none >> > Could you also try another solution? >> > put "override_space = _" into "sssd" section in sssd.conf >> > and restart sssd. >> > >> > As a result of this space will be replaced with underscore >> > and libsemanage should not complain. >> > >> > @see man sssd.conf -> override_space >> >> This is either a bug in semenage, we should file one and ask the >> semanage developers if there is a proper way to quote the spaces. >> >> But yes, selinux_provider=none would disable this area of code. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
Wont be able to check until Monday morning (Australia's weekend has started) but can check, yes. And the reason I reported to you is because you will have more weight with selinux bug tickets than I would. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 18:05, Jakub Hrozek wrote: > On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: > > On (15/07/16 12:56), Lachlan Musicman wrote: > > >This line: > > > > > >We have SELinux disabled on all of our servers, but we hadn't disabled > this > > >check in sssd.conf. So we enabled it in sssd.conf and everything worked > > >fine. > > > > > >Should read that we *disabled* selinux. > > > > > >selinux_provider = none > > Could you also try another solution? > > put "override_space = _" into "sssd" section in sssd.conf > > and restart sssd. > > > > As a result of this space will be replaced with underscore > > and libsemanage should not complain. > > > > @see man sssd.conf -> override_space > > This is either a bug in semenage, we should file one and ask the > semanage developers if there is a proper way to quote the spaces. > > But yes, selinux_provider=none would disable this area of code. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote: > On (15/07/16 12:56), Lachlan Musicman wrote: > >This line: > > > >We have SELinux disabled on all of our servers, but we hadn't disabled this > >check in sssd.conf. So we enabled it in sssd.conf and everything worked > >fine. > > > >Should read that we *disabled* selinux. > > > >selinux_provider = none > Could you also try another solution? > put "override_space = _" into "sssd" section in sssd.conf > and restart sssd. > > As a result of this space will be replaced with underscore > and libsemanage should not complain. > > @see man sssd.conf -> override_space This is either a bug in semenage, we should file one and ask the semanage developers if there is a proper way to quote the spaces. But yes, selinux_provider=none would disable this area of code. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
On (15/07/16 12:56), Lachlan Musicman wrote: >This line: > >We have SELinux disabled on all of our servers, but we hadn't disabled this >check in sssd.conf. So we enabled it in sssd.conf and everything worked >fine. > >Should read that we *disabled* selinux. > >selinux_provider = none Could you also try another solution? put "override_space = _" into "sssd" section in sssd.conf and restart sssd. As a result of this space will be replaced with underscore and libsemanage should not complain. @see man sssd.conf -> override_space LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
This line: We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine. Should read that we *disabled* selinux. selinux_provider = none Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 11:27, Lachlan Musicman wrote: > Hey, > > While hunting this sssd/hbac/AD user problem, I noticed in the > selinux_child.log a lot of errors that look like this: > > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [get_seuser] > (0x0020): Cannot query for galaxy > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400): > context initialized > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [get_seuser] > (0x0020): Cannot query for simpsonlach...@petermac.org.au > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504 [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400): > context initialized > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [get_seuser] > (0x0020): Cannot query for madhamshettiwar p...@petermac.org.au > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585 [libsemanage] > (0x0020): expected character ':', but f