Re: [Freeipa-users] Cannot login after patching on LXC Container
annot login after patching on LXC Container On (14/02/17 20:06), Nuno Higgs wrote: >Hello all, > >I will reproduce the issue tomorrow morning on a fresh LXC container. >For the sestatus: > ># sestatus >SELinux status: disabled > >That isn’t surprising for the host is not se-enabled, or even a RHEL/CentOS. >The underlining distro supports apparmor profiles. FYI: It is not about distribution but about kernel. >The crappy part is before we did this patch update, everything worked >perfectly, although with SE Disabled. > >I will keep you posted on the LXC test > It would be good to find out which package/update broke it. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 20:06), Nuno Higgs wrote: >Hello all, > >I will reproduce the issue tomorrow morning on a fresh LXC container. >For the sestatus: > ># sestatus >SELinux status: disabled > >That isnt surprising for the host is not se-enabled, or even a RHEL/CentOS. >The underlining distro supports apparmor profiles. FYI: It is not about distribution but about kernel. >The crappy part is before we did this patch update, everything worked >perfectly, although with SE Disabled. > >I will keep you posted on the LXC test > It would be good to find out which package/update broke it. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
Hello all, I will reproduce the issue tomorrow morning on a fresh LXC container. For the sestatus: # sestatus SELinux status: disabled That isnt surprising for the host is not se-enabled, or even a RHEL/CentOS. The underlining distro supports apparmor profiles. The crappy part is before we did this patch update, everything worked perfectly, although with SE Disabled. I will keep you posted on the LXC test Thanks! Nuno -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Lukas Slebodnik Sent: terça-feira, 14 de fevereiro de 2017 19:13 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On (14/02/17 18:52), Lukas Slebodnik wrote: >On (14/02/17 18:28), Alexander Bokovoy wrote: >>On ti, 14 helmi 2017, Nuno Higgs wrote: >>> Hello, >>> >>> It worked perfecty. >>> I am wondering why this just popped up now with this patch update. >>> Almost none of our containers hosts (and by inherence the >>> containers) have SELINUX enabled for they are primary for testing, and they are on a secure network. >>> With this version of ipa-client, the host has to have SE enabled for >>> the container to inherit the definitions and policies of it? >>As I said, this was an update in SELinux-related libraries and change >>of behavior there, not in SSSD. It is reproducible in other >>environments as well, see, f.e. >>https://bugzilla.redhat.com/show_bug.cgi?id=1415167 >> >Sorry you are wrong. >This is a different bug. >https://bugzilla.redhat.com/show_bug.cgi?id=1412717 >which is unfortunatelly private. > I thought a little bit and I am not sure which bug is this case. What do "sestatus" inside container? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 18:52), Lukas Slebodnik wrote: >On (14/02/17 18:28), Alexander Bokovoy wrote: >>On ti, 14 helmi 2017, Nuno Higgs wrote: >>> Hello, >>> >>> It worked perfecty. >>> I am wondering why this just popped up now with this patch update. Almost >>> none of our containers hosts (and by inherence the containers) have SELINUX >>> enabled for they are primary for testing, and they are on a secure network. >>> With this version of ipa-client, the host has to have SE enabled for the >>> container to inherit the definitions and policies of it? >>As I said, this was an update in SELinux-related libraries and change of >>behavior there, not in SSSD. It is reproducible in other environments as >>well, see, f.e. https://bugzilla.redhat.com/show_bug.cgi?id=1415167 >> >Sorry you are wrong. >This is a different bug. >https://bugzilla.redhat.com/show_bug.cgi?id=1412717 >which is unfortunatelly private. > I thought a little bit and I am not sure which bug is this case. What do "sestatus" inside container? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 16:19), Nuno Higgs wrote: >Hello, > >It worked perfecty. >I am wondering why this just popped up now with this patch update. Almost >none of our containers hosts (and by inherence the containers) have SELINUX >enabled for they are primary for testing, and they are on a secure network. >With this version of ipa-client, the host has to have SE enabled for the >container to inherit the definitions and policies of it? > Could you try to downdrade some packages and find you which package trigger this bug? Or could you provide a reliable reproducer with lxc contianers? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 18:28), Alexander Bokovoy wrote: >On ti, 14 helmi 2017, Nuno Higgs wrote: >> Hello, >> >> It worked perfecty. >> I am wondering why this just popped up now with this patch update. Almost >> none of our containers hosts (and by inherence the containers) have SELINUX >> enabled for they are primary for testing, and they are on a secure network. >> With this version of ipa-client, the host has to have SE enabled for the >> container to inherit the definitions and policies of it? >As I said, this was an update in SELinux-related libraries and change of >behavior there, not in SSSD. It is reproducible in other environments as >well, see, f.e. https://bugzilla.redhat.com/show_bug.cgi?id=1415167 > Sorry you are wrong. This is a different bug. https://bugzilla.redhat.com/show_bug.cgi?id=1412717 which is unfortunatelly private. Here is an upstream ticket https://fedorahosted.org/sssd/ticket/3308 The interesting is that some user reported that downgrade of ipa python packages fixed the bug as well. 12:23 < lfisher> lslebodn: well the problematic users seem to be ones that haven't been on the host before 12:23 < lfisher> I also noticed if I updated the package, so I did an ipa downgrade on the host (or version change) it started working temporarily 12:24 < lslebodn> which package? 12:25 < lslebodn> sssd? 12:25 < lslebodn> libsemanage? 12:27 < lfisher> well, the ipa-client package and everything that it depends on, so it's like 7 packages 12:27 < lfisher> which may have libsemanage in it, let me check 12:27 < lslebodn> ipa-client is just an installator 12:28 < lslebodn> all important things are done by sssd 12:29 < lfisher> lslebodn: Give me a sec and I'll pull the package list out ... 12:34 < lfisher> ipa-client, ipa-client-common, ipa-common, python2-ipalib, python2-ipaclient 12:34 < lfisher> a downgrade of those solved the problem tempoarily 12:40 < lslebodn> that's weird 12:41 < lslebodn> they are not used by sssd 12:41 < lslebodn> and they should not affect sssd 12:45 < lfisher> lslebodn: yeah, it didn't really make sense, but since even a restart sometimes solves the problem, it just probably kicked something LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On ti, 14 helmi 2017, Nuno Higgs wrote: Hello, It worked perfecty. I am wondering why this just popped up now with this patch update. Almost none of our containers hosts (and by inherence the containers) have SELINUX enabled for they are primary for testing, and they are on a secure network. With this version of ipa-client, the host has to have SE enabled for the container to inherit the definitions and policies of it? As I said, this was an update in SELinux-related libraries and change of behavior there, not in SSSD. It is reproducible in other environments as well, see, f.e. https://bugzilla.redhat.com/show_bug.cgi?id=1415167 The workaround is to disable selinux provider in the environment where SELinux is not used until SELinux libraries are fixed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
Hello, It worked perfecty. I am wondering why this just popped up now with this patch update. Almost none of our containers hosts (and by inherence the containers) have SELINUX enabled for they are primary for testing, and they are on a secure network. With this version of ipa-client, the host has to have SE enabled for the container to inherit the definitions and policies of it? Again thanks for your help! Nuno -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: terça-feira, 14 de fevereiro de 2017 16:02 To: Nuno Higgs Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On ti, 14 helmi 2017, Nuno Higgs wrote: >Hello Alexander, > >Here are the logs. I have regenerated the error, because at the first >time I hadn't the debug enabled on the domain part of the sssd.conf. >After enabling the only thing reported on the sssd_domain.log on the >time of the failure is: > >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[hbac_eval_user_element] >(0x1000): Added group [openvpn_home_users] for user [nuno] (Tue Feb 14 >15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): [< >hbac_evaluate() >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): >ALLOWED by rule [perimetro_ssh_allow]. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): >hbac_evaluate() >] >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[ipa_hbac_evaluate_rules] >(0x0080): Access granted by HBAC rule [perimetro_ssh_allow] (Tue Feb 14 >15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP Request >[PAM Account #4]: Request handler finished [0]: Success (Tue Feb 14 >15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request >[PAM Account #4]: Receiving request data. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] >(0x0400): DP Request [PAM Account #4]: Request removed. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] >(0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [dp_attach_req] (0x0400): DP Request [PAM SELinux >#5]: New request. Flags []. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): >Number of active DP request: 1 >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_get_selinux_send] >(0x0400): Retrieving SELinux user mapping (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x0400): calling ldap_search_ext with >[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=net,dc=xpto]. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [ipaMigrationEnabled] (Tue Feb 14 15:24:52 >2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Tue Feb 14 >15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Tue Feb 14 >15:24:52 2017) [sssd[be[net.xpto]]] [sdap_parse_entry] (0x1000): >OriginalDN: [cn=ipaConfig,cn=etc,dc=net,dc=xpto]. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no >errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[ipa_selinux_get_maps_next] >(0x0400): Trying to fetch SELinux maps with following parameters: >[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux >,dc=n >et,dc=xpto] >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_ext_step] >(0x0400): calling ldap_search_ext with >[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc >=net, >dc=xpto]. >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [objectClass] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [cn] >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [memberUser] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [memberHost] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [seeAlso] >(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] >[sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [ipaSELinuxUser] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [ipaEnabledFlag] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_generic_ext_step] >(0x1000): Requesting attrs: [userCategory] (Tue Feb 14 15:24:52 2017) >[sssd[be[net.xpto]]] [sdap_get_ge
Re: [Freeipa-users] Cannot login after patching on LXC Container
On ti, 14 helmi 2017, Nuno Higgs wrote: Hello Alexander, Here are the logs. I have regenerated the error, because at the first time I hadn't the debug enabled on the domain part of the sssd.conf. After enabling the only thing reported on the sssd_domain.log on the time of the failure is: (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_eval_user_element] (0x1000): Added group [openvpn_home_users] for user [nuno] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): [< hbac_evaluate() (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): ALLOWED by rule [perimetro_ssh_allow]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [perimetro_ssh_allow] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP Request [PAM Account #4]: Request handler finished [0]: Success (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #4]: Receiving request data. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #4]: Request removed. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): DP Request [PAM SELinux #5]: New request. Flags []. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=net,dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaMigrationEnabled] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapDefault] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUserMapOrder] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipaConfig,cn=etc,dc=net,dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=n et,dc=xpto] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=net, dc=xpto]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [seeAlso] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSELinuxUser] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaEnabledFlag] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sysdb_delete_entry] (0x0080): sysdb_delete_ts_entry failed: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [selinux_child_done] (0x0020): selinux_child_parse_response failed: [22][Invalid argument] ^^ this is the issue. There was a change in behavior in libselinux that caused the library to fail every time it is run in an environment where it cannot i
Re: [Freeipa-users] Cannot login after patching on LXC Container
2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP Request [PAM SELinux #5]: Receiving request data. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #5]: Request removed. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #4]: Sending result [4][net.xpto] (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [child_sig_handler] (0x1000): Waiting for child [10326]. (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [child_sig_handler] (0x0020): child [10326] failed with status [1]. Thanks, Nuno -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: terça-feira, 14 de fevereiro de 2017 15:23 To: Nuno Higgs Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On ti, 14 helmi 2017, Nuno Higgs wrote: >Hello Lucas, > >No, the account is neither locked nor expired. That's the weird part. >On other Centos7 / RHEL7 I can login without any issues. > > >[root@ipa2 ~]# ipa user-status nuno >--- >Account disabled: False >--- > Server: ipa1 > Failed logins: 0 > Last successful authentication: 20170214150453Z > Last failed authentication: 20170213170252Z > Time now: 2017-02-14T15:06:21Z > > Server: ipa2 > Failed logins: 0 > Last successful authentication: 20170214150047Z > Last failed authentication: 20170214124638Z > Time now: 2017-02-14T15:06:23Z > >Number of entries returned 2 > > >I've also enabled the sssd. There is no evidence of where the problem is: > >(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): >command: SSS_PAM_AUTHENTICATE (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:54 >2017) [sssd[pam]] [pam_print_data] (0x0100): user: n...@domain.com (Tue >Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: >sshd (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): >tty: ssh (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] >(0x0100): ruser: not set (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:54 >2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Feb >14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok >type: 0 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] >(0x0100): priv: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] >[pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:54 2017) >[sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68 >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): >entering pam_cmd_acct_mgmt (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[sss_parse_name_for_domains] (0x0200): name 'nuno' matched without >domain, user is nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] >(0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) >[sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 >(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): >newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] >[pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) >[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 >15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [n...@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [n...@domain.com@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0
Re: [Freeipa-users] Cannot login after patching on LXC Container
On ti, 14 helmi 2017, Nuno Higgs wrote: Hello Lucas, No, the account is neither locked nor expired. That's the weird part. On other Centos7 / RHEL7 I can login without any issues. [root@ipa2 ~]# ipa user-status nuno --- Account disabled: False --- Server: ipa1 Failed logins: 0 Last successful authentication: 20170214150453Z Last failed authentication: 20170213170252Z Time now: 2017-02-14T15:06:21Z Server: ipa2 Failed logins: 0 Last successful authentication: 20170214150047Z Last failed authentication: 20170214124638Z Time now: 2017-02-14T15:06:23Z Number of entries returned 2 I've also enabled the sssd. There is no evidence of where the problem is: (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): user: n...@domain.com (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Tue Feb 14 15:11:55 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'nuno' matched without domain, user is nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [n...@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [n...@domain.com@domain.com] (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is n...@domain.com (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: n...@domain.com (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475 (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno (Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp
Re: [Freeipa-users] Cannot login after patching on LXC Container
d_req returned 0 (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][domain.com] (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 25 (Tue Feb 14 15:11:56 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! Also remember that this configuration works perfectly if it is a KVM or a LXC. Thanks. Nuno -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: terça-feira, 14 de fevereiro de 2017 14:55 To: Nuno Higgs Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container On (14/02/17 13:00), Nuno Higgs wrote: >Hello All, > > > >I have a LXC container running Centos7, fully patched that i can't >login into in a standard IPA usage configuration: > > >Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied >for user nuno 4 (System error) > System error means unexpected state for sssd. I would recommend to follow sssd troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthenticationPasswordChangeandAccessControl >Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from >172.16.0.10 port 54461 ssh2 > >Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by >PAM account configuration [preauth] > >Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 >[preauth] > >Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication >success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 >user=nuno > >Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired >for nuno from 172.16.3.253 > This error is little bit later but I think it is clear enough. The account is expired. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 13:00), Nuno Higgs wrote: >Hello All, > > > >I have a LXC container running Centos7, fully patched that i can't login >into in a standard IPA usage configuration: > > >Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for >user nuno 4 (System error) > System error means unexpected state for sssd. I would recommend to follow sssd troubleshooting wiki https://fedorahosted.org/sssd/wiki/Troubleshooting#TroubleshootingAuthenticationPasswordChangeandAccessControl >Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 172.16.0.10 >port 54461 ssh2 > >Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by PAM >account configuration [preauth] > >Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 [preauth] > >Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication success; >logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 user=nuno > >Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired for >nuno from 172.16.3.253 > This error is little bit later but I think it is clear enough. The account is expired. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cannot login after patching on LXC Container
Hello All, I have a LXC container running Centos7, fully patched that i can't login into in a standard IPA usage configuration: Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for user nuno 4 (System error) Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 172.16.0.10 port 54461 ssh2 Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by PAM account configuration [preauth] Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 [preauth] Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 user=nuno Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:account): Access denied for user nuno: 4 (System error) Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired for nuno from 172.16.3.253 Before the patching I was able to login without any issue with this user. The user or password are not expired, and continue to work perfectly on other systems Centos7 without the patch. This only appears on LXC systems. I've tried to install a fresh centos7 on KVM and it works perfectly. I've done a fresh LXC deployment, and the issue remains. The workaround I found is to comment out the following line on /etc/pam.d/password-auth: #account [default=bad success=ok user_unknown=ignore] pam_sss.so Without this line I am able to login perfectly. The versions are on the client side: Centos7 python2-ipalib-4.4.0-14.el7.centos.4.noarch sssd-ipa-1.14.0-43.el7_3.11.x86_64 python-iniparse-0.4-9.el7.noarch python-libipa_hbac-1.14.0-43.el7_3.11.x86_64 ipa-common-4.4.0-14.el7.centos.4.noarch ipa-client-common-4.4.0-14.el7.centos.4.noarch python2-ipaclient-4.4.0-14.el7.centos.4.noarch libipa_hbac-1.14.0-43.el7_3.11.x86_64 ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-python-compat-4.4.0-14.el7.centos.4.noarch python-ipaddress-1.0.16-2.el7.noarch On the IPA server: Centos7 python-libipa_hbac-1.14.0-43.el7_3.4.x86_64 python-iniparse-0.4-9.el7.noarch sssd-ipa-1.14.0-43.el7_3.4.x86_64 ipa-client-4.4.0-14.el7.centos.x86_64 ipa-admintools-4.4.0-14.el7.centos.noarch ipa-server-4.4.0-14.el7.centos.x86_64 ipa-client-common-4.4.0-14.el7.centos.noarch python-ipaddress-1.0.16-2.el7.noarch python2-ipaclient-4.4.0-14.el7.centos.noarch python2-ipaserver-4.4.0-14.el7.centos.noarch python2-ipalib-4.4.0-14.el7.centos.noarch ipa-server-common-4.4.0-14.el7.centos.noarch ipa-server-dns-4.4.0-14.el7.centos.noarch ipa-python-compat-4.4.0-14.el7.centos.noarch libipa_hbac-1.14.0-43.el7_3.4.x86_64 ipa-common-4.4.0-14.el7.centos.noarch I think it might be lxc permissions related. I am using the lxc template for Centos7: lxc.cap.drop = sys_nice sys_pacct sys_rawio What am I missing? Thanks for your help. Nuno -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
