Hello Alexander, Here are the logs. I have regenerated the error, because at the first time I hadn't the debug enabled on the domain part of the sssd.conf. After enabling the only thing reported on the sssd_domain.log on the time of the failure is:
(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_eval_user_element] (0x1000): Added group [openvpn_home_users] for user [nuno] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): [< hbac_evaluate() (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): ALLOWED by rule [perimetro_ssh_allow]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [perimetro_ssh_allow] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP Request [PAM Account #4]: Request handler finished [0]: Success (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #4]: Receiving request data. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #4]: Request removed. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): DP Request [PAM SELinux #5]: New request. Flags [0000]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=net,dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=net,dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=n et,dc=xpto] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=net, dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [selinux_child_done] (0x0020): selinux_child_parse_response failed: [22][Invalid argument] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP Request [PAM SELinux #5]: Request handler finished [0]: Success (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request [PAM SELinux #5]: Receiving request data. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #5]: Request removed. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #4]: Sending result [4][net.xpto] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [child_sig_handler] (0x1000): Waiting for child [10326]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [child_sig_handler] (0x0020): child [10326] failed with status [1]. Thanks, Nuno -----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: terça-feira, 14 de fevereiro de 2017 15:23 To: Nuno Higgs Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On ti, 14 helmi 2017, Nuno Higgs wrote: >Hello Lucas, > >No, the account is neither locked nor expired. That's the weird part. >On other Centos7 / RHEL7 I can login without any issues. > > >[root@ipa2 ~]# ipa user-status nuno >----------------------- >Account disabled: False >----------------------- > Server: ipa1 > Failed logins: 0 > Last successful authentication: 20170214150453Z > Last failed authentication: 20170213170252Z > Time now: 2017-02-14T15:06:21Z > > Server: ipa2 > Failed logins: 0 > Last successful authentication: 20170214150047Z > Last failed authentication: 20170214124638Z > Time now: 2017-02-14T15:06:23Z >---------------------------- >Number of entries returned 2 >---------------------------- > >I've also enabled the sssd. There is no evidence of where the problem is: > >(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): >command: SSS_PAM_AUTHENTICATE (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:54 >2017) [sssd[pam]] [pam_print_data] (0x0100): user: n...@domain.com (Tue >Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: >sshd (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): >tty: ssh (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] >(0x0100): ruser: not set (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:54 >2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Feb >14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] >(0x0100): priv: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:54 2017) >[sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68 >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): >entering pam_cmd_acct_mgmt (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[sss_parse_name_for_domains] (0x0200): name 'nuno' matched without >domain, user is nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] >(0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) >[sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) >[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [n...@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [n...@domain.com@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is n...@domain.com (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >command: SSS_PAM_ACCT_MGMT (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:55 >2017) [sssd[pam]] [pam_print_data] (0x0100): user: n...@domain.com (Tue >Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: >sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] >(0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:55 >2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Feb >14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] >(0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:55 2017) >[sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][domain.com] (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. Domain log will have details on what has happened at account PAM stage. Please provide that log, correlated by time with pam log (15:11:55-15:11:56). -- / Alexander Bokovoy
sssd.tar.gz
Description: GNU Zip compressed data
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project