<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
On Wed, 2013-09-11 at 08:27 -0500, Dean Hunter wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Hi Dean,
On Tue, 10 Sep 2013, Dean Hunter wrote:
<FONT COLOR="#737373">>How do I determine the cause of this problem?</FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">> [dean@ipa2 ~]$ ssh dean@desktop2</FONT>
<FONT COLOR="#737373">> Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org</FONT>
<FONT COLOR="#737373">> Could not chdir to home directory /home/net/dean: Permission</FONT>
<FONT COLOR="#737373">> denied</FONT>
<FONT COLOR="#737373">> -bash: /home/net/dean/.bash_profile: Permission denied</FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">> -bash-4.2$ rpm -q freeipa-client</FONT>
<FONT COLOR="#737373">> freeipa-client-3.1.5-1.fc18.x86_64</FONT>
<FONT COLOR="#737373">> -bash-4.2$</FONT>
<FONT COLOR="#737373">></FONT>
<FONT COLOR="#737373">>I can log in as dean on desktop2 using gdm without a problem. But when</FONT>
<FONT COLOR="#737373">>I try to log in using ssh then I am denied access to the user's home</FONT>
<FONT COLOR="#737373">>directory.</FONT>
Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does
use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home)
</PRE>
</BLOCKQUOTE>
1) Is there any SELinux AVC in the logs?<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@desktop2">dean@desktop2</A> ~]$ sudo ausearch --message avc</FONT></TT><BR>
<TT><FONT SIZE="2"><no matches></FONT></TT><BR>
</BLOCKQUOTE>
<BR>
2) Is /home/net an NFS mount? Yes<BR>
<BR>
3) Is use_nfs_home_dirs SELinux boolean set to on?<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@desktop2">dean@desktop2</A> ~]$ getsebool use_nfs_home_dirs</FONT></TT><BR>
<TT><FONT SIZE="2">use_nfs_home_dirs --> on</FONT></TT><BR>
</BLOCKQUOTE>
<BR>
Here is the script I use to configure IPA NFS clients:<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2"># Configure the Network File System client</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2"> setsebool -P use_nfs_home_dirs on</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2"> cat /usr/lib/systemd/system/nfs-secure.service \</FONT></TT><BR>
<TT><FONT SIZE="2"> | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \</FONT></TT><BR>
<TT><FONT SIZE="2"> > /etc/systemd/system/nfs-secure.service # RedHat bug 972363</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2"> ipa-client-automount \\</FONT></TT><BR>
<TT><FONT SIZE="2"> --location VM \\</FONT></TT><BR>
<TT><FONT SIZE="2"> --unattended</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2"> sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf # FreeIPA bug 3733</FONT></TT><BR>
<TT><FONT SIZE="2"> systemctl restart sssd.service # FreeIPA bug 3733</FONT></TT><BR>
<TT><FONT SIZE="2"> systemctl restart autofs.service # FreeIPA bug 3733</FONT></TT><BR>
</BLOCKQUOTE>
<BR>
<BR>
<PRE>
_______________________________________________
Freeipa-users mailing list
<A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A>
<A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A>
</PRE>
</BLOCKQUOTE>
<BR>
I do NOT believe this:<BR>
<BLOCKQUOTE>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A></FONT></TT><BR>
<TT><FONT SIZE="2">Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org</FONT></TT><BR>
<TT><FONT SIZE="2">Could not chdir to home directory /home/net/dean: Permission denied</FONT></TT><BR>
<TT><FONT SIZE="2">-bash: /home/net/dean/.bash_profile: Permission denied</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">-bash-4.2$ logout</FONT></TT><BR>
<TT><FONT SIZE="2">-bash: /home/net/dean/.bash_logout: Permission denied</FONT></TT><BR>
<TT><FONT SIZE="2">Connection to desktop2 closed.</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ su -</FONT></TT><BR>
<TT><FONT SIZE="2">Password: </FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:root@ipa2">root@ipa2</A> ~]# ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A></FONT></TT><BR>
<TT><FONT SIZE="2"><A HREF="mailto:dean@desktop2">dean@desktop2</A>'s password: </FONT></TT><BR>
<TT><FONT SIZE="2">Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@desktop2">dean@desktop2</A> ~]$ logout</FONT></TT><BR>
<TT><FONT SIZE="2">Connection to desktop2 closed.</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:root@ipa2">root@ipa2</A> ~]# logout</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@ipa2">dean@ipa2</A> ~]$ ssh <A HREF="mailto:dean@desktop2">dean@desktop2</A></FONT></TT><BR>
<TT><FONT SIZE="2">Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org</FONT></TT><BR>
<BR>
<TT><FONT SIZE="2">[<A HREF="mailto:dean@desktop2">dean@desktop2</A> ~]$ </FONT></TT><BR>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>