This line: We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine.
Should read that we *disabled* selinux. selinux_provider = none Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 11:27, Lachlan Musicman <data...@gmail.com> wrote: > Hey, > > While hunting this sssd/hbac/AD user problem, I noticed in the > selinux_child.log a lot of errors that look like this: > > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser] > (0x0020): Cannot query for galaxy > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > context initialized > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser] > (0x0020): Cannot query for simpsonlach...@petermac.org.au > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser] > (0x0020): Cannot verify the SELinux user > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): > Cannot set SELinux login context. > (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020): > selinux_child failed! > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > selinux_child started. > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > context initialized > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400): > performing selinux operations > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/active//seusers.final: 10): > ellul ja...@petermac.org.au:unconfined_u:s0-s0:c0.c1023 > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not parse seuser record > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not cache file database > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): could not enter read-only section > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser] > (0x0020): Cannot query for madhamshettiwar p...@petermac.org.au > (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage] > (0x0020): expected character ':', but found 'j' > (/etc/selinux/targeted/modules/tmp//seusers.final: 10): > > > > We have SELinux disabled on all of our servers, but we hadn't disabled > this check in sssd.conf. So we enabled it in sssd.conf and everything > worked fine. > > But it should be noted that this check seems to be failing on a space in > the AD user names. > > (I know, spaces in user names is weird, wrong and embarrassing, but it's > not my department. A fantastic example of Technical Debt and why project > planning and testing are best done before implementation.) > > cheers > L. > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project