[Freeipa-users] Cannot login after patching on LXC Container

[Alexander Bokovoy]

On ti, 14 helmi 2017, Nuno Higgs wrote:
>Hello Alexander,
>
>Here are the logs. I have regenerated the error, because at the first time I
>hadn't the debug enabled on the domain part of the sssd.conf.
>After enabling the only thing reported on the sssd_domain.log on the time of
>the failure is:
>
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_eval_user_element]
>(0x1000): Added group [openvpn_home_users] for user [nuno]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100): [<
>hbac_evaluate()
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100):
>ALLOWED by rule [perimetro_ssh_allow].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [hbac_evaluate] (0x0100):
>hbac_evaluate() >]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_hbac_evaluate_rules]
>(0x0080): Access granted by HBAC rule [perimetro_ssh_allow]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_done] (0x0400): DP
>Request [PAM Account #4]: Request handler finished [0]: Success
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [_dp_req_recv] (0x0400): DP
>Request [PAM Account #4]: Receiving request data.
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor]
>(0x0400): DP Request [PAM Account #4]: Request removed.
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_req_destructor]
>(0x0400): Number of active DP request: 0
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400): DP
>Request [PAM SELinux #5]: New request. Flags [0000].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [dp_attach_req] (0x0400):
>Number of active DP request: 1
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_get_selinux_send]
>(0x0400): Retrieving SELinux user mapping
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x0400): calling ldap_search_ext with
>[(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=net,dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaMigrationEnabled]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUserMapDefault]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUserMapOrder]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_parse_entry] (0x1000):
>OriginalDN: [cn=ipaConfig,cn=etc,dc=net,dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]]
>[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
>errmsg set
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_next]
>(0x0400): Trying to fetch SELinux maps with following parameters:
>[2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=n
>et,dc=xpto]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x0400): calling ldap_search_ext with
>[(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=net,
>dc=xpto].
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [objectClass]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [cn]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [memberUser]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [memberHost]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [seeAlso]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaSELinuxUser]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaEnabledFlag]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [userCategory]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [hostCategory]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sdap_get_generic_ext_step]
>(0x1000): Requesting attrs: [ipaUniqueID]
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]]
>[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
>errmsg set
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [ipa_selinux_get_maps_done]
>(0x0400): No SELinux user maps found!
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [sysdb_delete_entry]
>(0x0080): sysdb_delete_ts_entry failed: 0
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [write_pipe_handler]
>(0x0400): All data has been sent!
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [read_pipe_handler]
>(0x0400): EOF received, client finished
>(Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]] [selinux_child_done]
>(0x0020): selinux_child_parse_response failed: [22][Invalid argument]
^^ this is the issue. There was a change in behavior in libselinux that
caused the library to fail every time it is run in an environment where
it cannot identify whether SELinux is enabled or not.

You can disable SELinux processing in your sssd.conf:

[domain/...]
selinux_provider = none

-- 
/ Alexander Bokovoy