[Freeipa-users] Cannot login after patching on LXC Container
Nuno Higgs
ipa at border.nuneshiggs.com
Wed Feb 15 11:32:07 UTC 2017
Hello,
I've done a fresh install of a Centos7 container and the problem was seen again.
The lxc build installed the files as described within the enclosed txt file.
For versions:
# yum --showduplicates list ipa-client ipa-client-common ipa-common python2-ipalib python2-ipaclient
Installed Packages
ipa-client.x86_64 4.4.0-14.el7.centos.4 @updates
ipa-client-common.noarch 4.4.0-14.el7.centos.4 @updates
ipa-common.noarch 4.4.0-14.el7.centos.4 @updates
python2-ipaclient.noarch 4.4.0-14.el7.centos.4 @updates
python2-ipalib.noarch 4.4.0-14.el7.centos.4 @updates
Available Packages
ipa-client.x86_64 4.4.0-12.el7.centos base
ipa-client.x86_64 4.4.0-14.el7.centos updates
ipa-client.x86_64 4.4.0-14.el7.centos.1.1 updates
ipa-client.x86_64 4.4.0-14.el7.centos.4 updates
ipa-client-common.noarch 4.4.0-12.el7.centos base
ipa-client-common.noarch 4.4.0-14.el7.centos updates
ipa-client-common.noarch 4.4.0-14.el7.centos.1.1 updates
ipa-client-common.noarch 4.4.0-14.el7.centos.4 updates
ipa-common.noarch 4.4.0-12.el7.centos base
ipa-common.noarch 4.4.0-14.el7.centos updates
ipa-common.noarch 4.4.0-14.el7.centos.1.1 updates
ipa-common.noarch 4.4.0-14.el7.centos.4 updates
python2-ipaclient.noarch 4.4.0-12.el7.centos base
python2-ipaclient.noarch 4.4.0-14.el7.centos updates
python2-ipaclient.noarch 4.4.0-14.el7.centos.1.1 updates
python2-ipaclient.noarch 4.4.0-14.el7.centos.4 updates
python2-ipalib.noarch 4.4.0-12.el7.centos base
python2-ipalib.noarch 4.4.0-14.el7.centos updates
python2-ipalib.noarch 4.4.0-14.el7.centos.1.1 updates
python2-ipalib.noarch
First downgrade:
# yum downgrade ipa-client ipa-client-common ipa-common python2-ipalib python2-ipaclient
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.4 ipa-client-common.noarch 0:4.4.0-14.el7.centos.4 ipa-common.noarch 0:4.4.0-14.el7.centos.4 python2-ipaclient.noarch 0:4.4.0-14.el7.centos.4 python2-ipalib.noarch 0:4.4.0-14.el7.centos.4
Installed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.1.1 ipa-client-common.noarch 0:4.4.0-14.el7.centos.1.1 ipa-common.noarch 0:4.4.0-14.el7.centos.1.1 python2-ipaclient.noarch 0:4.4.0-14.el7.centos.1.1 python2-ipalib.noarch 0:4.4.0-14.el7.centos.1.1
Problem still present.
Second downgrade:
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.1.1 ipa-client-common.noarch 0:4.4.0-14.el7.centos.1.1 ipa-common.noarch 0:4.4.0-14.el7.centos.1.1 python2-ipaclient.noarch 0:4.4.0-14.el7.centos.1.1 python2-ipalib.noarch 0:4.4.0-14.el7.centos.1.1
Installed:
ipa-client.x86_64 0:4.4.0-14.el7.centos ipa-client-common.noarch 0:4.4.0-14.el7.centos ipa-common.noarch 0:4.4.0-14.el7.centos python2-ipaclient.noarch 0:4.4.0-14.el7.centos python2-ipalib.noarch 0:4.4.0-14.el7.centos
Problem still present.
Third downgrade:
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos ipa-client-common.noarch 0:4.4.0-14.el7.centos ipa-common.noarch 0:4.4.0-14.el7.centos python2-ipaclient.noarch 0:4.4.0-14.el7.centos python2-ipalib.noarch 0:4.4.0-14.el7.centos
Installed:
ipa-client.x86_64 0:4.4.0-12.el7.centos ipa-client-common.noarch 0:4.4.0-12.el7.centos ipa-common.noarch 0:4.4.0-12.el7.centos python2-ipaclient.noarch 0:4.4.0-12.el7.centos python2-ipalib.noarch 0:4.4.0-12.el7.centos
Problem still present.
There is not any downgrade available on repo to go lower.
The error is still the same. It would appear to be outside of the ipa package range.
Feb 15 11:05:38 ipatest sshd[231]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.6 user=nuno
Feb 15 11:05:39 ipatest sshd[231]: pam_sss(sshd:account): Access denied for user nuno: 4 (System error)
Feb 15 11:05:39 ipatest sshd[229]: error: PAM: User account has expired for nuno from 172.16.0.6
Feb 15 11:05:42 ipatest sshd[229]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.6 user=nuno
Feb 15 11:05:42 ipatest sshd[229]: Failed password for nuno from 172.16.0.6 port 54450 ssh2
Feb 15 11:05:42 ipatest sshd[229]: fatal: Access denied for user nuno by PAM account configuration [preauth]
I tried to downgrade sssd but was unable to for lack of dependencies.
Thanks.
Nuno
-----Original Message-----
From: Lukas Slebodnik [mailto:lslebodn at redhat.com]
Sent: quarta-feira, 15 de fevereiro de 2017 09:16
To: Nuno Higgs
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 20:06), Nuno Higgs wrote:
>Hello all,
>
>I will reproduce the issue tomorrow morning on a fresh LXC container.
>For the sestatus:
>
># sestatus
>SELinux status: disabled
>
>That isn’t surprising for the host is not se-enabled, or even a RHEL/CentOS.
>The underlining distro supports apparmor profiles.
FYI: It is not about distribution but about kernel.
>The crappy part is before we did this patch update, everything worked
>perfectly, although with SE Disabled.
>
>I will keep you posted on the LXC test
>
It would be good to find out which package/update broke it.
LS
More information about the Freeipa-users
mailing list