[Freeipa-users] Cannot login after patching on LXC Container

Nuno Higgs ipa at border.nuneshiggs.com
Tue Feb 14 13:00:40 UTC 2017 

Hello All,

 

I have a LXC container running Centos7, fully patched that i can't login
into in a standard IPA usage configuration:

 

Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for
user nuno 4 (System error)

Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 172.16.0.10
port 54461 ssh2

Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by PAM
account configuration [preauth]

Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 [preauth]

Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 user=nuno

Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:account): Access denied for
user nuno: 4 (System error)

Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired for
nuno from 172.16.3.253

 

Before the patching I was able to login without any issue with this user.

The user or password are not expired, and continue to work perfectly on
other systems Centos7 without the patch.

This only appears on LXC systems. I've tried to install a fresh centos7 on
KVM and it works perfectly.

 

I've done a fresh LXC deployment, and the issue remains.

 

The workaround I found is to comment out the following line on
/etc/pam.d/password-auth:

 

#account     [default=bad success=ok user_unknown=ignore] pam_sss.so

 

Without this line I am able to login perfectly.

 

The versions are on the client side:

 

Centos7

python2-ipalib-4.4.0-14.el7.centos.4.noarch

sssd-ipa-1.14.0-43.el7_3.11.x86_64

python-iniparse-0.4-9.el7.noarch

python-libipa_hbac-1.14.0-43.el7_3.11.x86_64

ipa-common-4.4.0-14.el7.centos.4.noarch

ipa-client-common-4.4.0-14.el7.centos.4.noarch

python2-ipaclient-4.4.0-14.el7.centos.4.noarch

libipa_hbac-1.14.0-43.el7_3.11.x86_64

ipa-client-4.4.0-14.el7.centos.4.x86_64

ipa-python-compat-4.4.0-14.el7.centos.4.noarch

python-ipaddress-1.0.16-2.el7.noarch

 

 

On the IPA server:

 

Centos7

python-libipa_hbac-1.14.0-43.el7_3.4.x86_64

python-iniparse-0.4-9.el7.noarch

sssd-ipa-1.14.0-43.el7_3.4.x86_64

ipa-client-4.4.0-14.el7.centos.x86_64

ipa-admintools-4.4.0-14.el7.centos.noarch

ipa-server-4.4.0-14.el7.centos.x86_64

ipa-client-common-4.4.0-14.el7.centos.noarch

python-ipaddress-1.0.16-2.el7.noarch

python2-ipaclient-4.4.0-14.el7.centos.noarch

python2-ipaserver-4.4.0-14.el7.centos.noarch

python2-ipalib-4.4.0-14.el7.centos.noarch

ipa-server-common-4.4.0-14.el7.centos.noarch

ipa-server-dns-4.4.0-14.el7.centos.noarch

ipa-python-compat-4.4.0-14.el7.centos.noarch

libipa_hbac-1.14.0-43.el7_3.4.x86_64

ipa-common-4.4.0-14.el7.centos.noarch

 

I think it might be lxc permissions related. I am using the lxc template for
Centos7:

 

lxc.cap.drop = sys_nice sys_pacct sys_rawio

 

What am I missing?

 

Thanks for your help.

Nuno

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170214/3392f170/attachment.htm>

More information about the Freeipa-users mailing list