Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On (04/04/17 09:32), Lukas Slebodnik wrote: >On (04/04/17 10:13), Lachlan Musicman wrote: >>On 3 April 2017 at 19:11, Jakub Hrozek wrote: >> >>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: >>> > >>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces >>> in >>> > their names, libsemanage fails to update: >>> > >>> > eg from recent monthly upgrade cycle: >>> > >>> > Updating : >>> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch >>> > 3/14 >>> > libsemanage.parse_assert_ch: expected character ':', but found 'f' >>> > (/etc/selinux/targeted/tmp/seusers.local: 5): >>> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file >>> or >>> > directory). >>> > libsemanage.seuser_parse: could not parse seuser record (No such file or >>> > directory). >>> > libsemanage.dbase_file_cache: could not cache file database (No such file >>> > or directory). >>> > libsemanage.semanage_base_merge_components: could not merge local >>> > modifications into policy (No such file or directory). >>> > >>> >>> Hi, >>> according to my quick testing this is solved with this PR: >>> https://github.com/SSSD/sssd/pull/189 >This patch will not help with spaces in name. > >it need to be fixed in selinux-policy or libsemanage. > It looks like it happen with each upgrade of selinux-policy. I assume it might be some missing quoting in rpm bash scriptlet. It should not be difficult to reproduce and file a bug. Feel free to add to CC my mail. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On (04/04/17 10:13), Lachlan Musicman wrote: >On 3 April 2017 at 19:11, Jakub Hrozek wrote: > >> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: >> > >> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces >> in >> > their names, libsemanage fails to update: >> > >> > eg from recent monthly upgrade cycle: >> > >> > Updating : >> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch >> > 3/14 >> > libsemanage.parse_assert_ch: expected character ':', but found 'f' >> > (/etc/selinux/targeted/tmp/seusers.local: 5): >> > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file >> or >> > directory). >> > libsemanage.seuser_parse: could not parse seuser record (No such file or >> > directory). >> > libsemanage.dbase_file_cache: could not cache file database (No such file >> > or directory). >> > libsemanage.semanage_base_merge_components: could not merge local >> > modifications into policy (No such file or directory). >> > >> >> Hi, >> according to my quick testing this is solved with this PR: >> https://github.com/SSSD/sssd/pull/189 This patch will not help with spaces in name. it need to be fixed in selinux-policy or libsemanage. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On 3 April 2017 at 19:11, Jakub Hrozek wrote: > On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: > > > > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces > in > > their names, libsemanage fails to update: > > > > eg from recent monthly upgrade cycle: > > > > Updating : > > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch > > 3/14 > > libsemanage.parse_assert_ch: expected character ':', but found 'f' > > (/etc/selinux/targeted/tmp/seusers.local: 5): > > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file > or > > directory). > > libsemanage.seuser_parse: could not parse seuser record (No such file or > > directory). > > libsemanage.dbase_file_cache: could not cache file database (No such file > > or directory). > > libsemanage.semanage_base_merge_components: could not merge local > > modifications into policy (No such file or directory). > > > > Hi, > according to my quick testing this is solved with this PR: > https://github.com/SSSD/sssd/pull/189 > (Please note that we haven't ran all regression tests on this PR so I > can't in fact tell if it's correct or not. The code does look OK, > though). > > I was also able to work around the issue by setting: > override_space = _ > in sssd.conf > Thanks Jakub. The problem with the override_space = _ is that we also have users with _ in their names. I understand that this could be any character, but we decided that - given what we know about our AD - any character could also be in a user name. Looking forward to seeing the patch in upcoming releases. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] libsemanage updates fail due to AD user with space
On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: > Hola, > > I've reported this issue before (with a different symptom iirc), but > thought I should mention again, as I have no idea how to competently report > it to selinux. > > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces in > their names, libsemanage fails to update: > > eg from recent monthly upgrade cycle: > > Updating : > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch > 3/14 > libsemanage.parse_assert_ch: expected character ':', but found 'f' > (/etc/selinux/targeted/tmp/seusers.local: 5): > lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file or > directory). > libsemanage.seuser_parse: could not parse seuser record (No such file or > directory). > libsemanage.dbase_file_cache: could not cache file database (No such file > or directory). > libsemanage.semanage_base_merge_components: could not merge local > modifications into policy (No such file or directory). > Hi, according to my quick testing this is solved with this PR: https://github.com/SSSD/sssd/pull/189 (Please note that we haven't ran all regression tests on this PR so I can't in fact tell if it's correct or not. The code does look OK, though). I was also able to work around the issue by setting: override_space = _ in sssd.conf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] libsemanage updates fail due to AD user with space
Hola, I've reported this issue before (with a different symptom iirc), but thought I should mention again, as I have no idea how to competently report it to selinux. With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces in their names, libsemanage fails to update: eg from recent monthly upgrade cycle: Updating : selinux-policy-targeted-3.13.1-102.el7_3.16.noarch 3/14 libsemanage.parse_assert_ch: expected character ':', but found 'f' (/etc/selinux/targeted/tmp/seusers.local: 5): lastname firstn...@domain.com:unconfined_u:s0-s0:c0.c1023 (No such file or directory). libsemanage.seuser_parse: could not parse seuser record (No such file or directory). libsemanage.dbase_file_cache: could not cache file database (No such file or directory). libsemanage.semanage_base_merge_components: could not merge local modifications into policy (No such file or directory). cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project