<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
On 02/25/2013 10:15 AM, Jakub Hrozek wrote:<br>
<span style="white-space: pre;">> On Sat, Feb 23, 2013 at
10:40:03PM +0000, Dale Macartney wrote:<br>
>><br>
><br>
> On 02/23/2013 10:36 PM, Rob Crittenden wrote:<br>
> >>> Dale Macartney wrote:<br>
> >>>><br>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----<br>
> >>>> Hash: SHA1<br>
> >>>><br>
> >>>> Even folks<br>
> >>>><br>
> >>>> I've verified this both in a kickstart and
via manual install to verify<br>
> >>>> any user error on my part.<br>
> >>>><br>
> >>>> I have a clean installation of RHEL 6.4 for
an IPA domain of example.com<br>
> >>>><br>
> >>>> I also have several clients which are also
clean installs of rhel 6.4<br>
> >>>> and although I can see ipa users via getent
and even acquire a tgt's<br>
> >>>> successfully, I am unable to login with any
ipa user on any ipa member<br>
> >>>> server.<br>
> >>>><br>
> >>>> I see the same results for any type of login
attempt, e.g. gnome desktop<br>
> >>>> or ssh<br>
> >>>><br>
> >>>> My client installation is done by this
command.<br>
> >>>><br>
> >>>> ipa-client-install -U -p admin -w redhat123
--mkhomedir<br>
> --enable-dns-updates<br>
> >>>><br>
> >>>> IPA client version 3.0.0-25<br>
> >>>> SSSD version 1.9.2-82<br>
> >>>><br>
> >>>><br>
> >>>> Logs from client as as follows.<br>
> >>>><br>
> >>>> ==> /var/log/secure <==<br>
> >>>> Feb 23 22:10:07 workstation02 sshd[2419]:
pam_unix(sshd:auth):<br>
> >>>> authentication failure; logname= uid=0
euid=0 tty=ssh ruser=<br>
> >>>> rhost=10.0.1.254 user=admin<br>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]:
pam_sss(sshd:auth): User info<br>
> >>>> message: Your password will expire in 89
day(s).<br>
><br>
> > FTR, this is a known bug that will be fixed in an
asynchronous errata<br>
> > Very Soon Now.<br>
><br>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]:
pam_sss(sshd:auth):<br>
> >>>> authentication success; logname= uid=0
euid=0 tty=ssh ruser=<br>
> >>>> rhost=10.0.1.254 user=admin<br>
> >>>><br>
> >>>> ==> /var/log/btmp <==<br>
> >>>> �s <a class="moz-txt-link-freetext" href="ssh:nottyadmin10.0.1.254@">ssh:nottyadmin10.0.1.254@</a>>)Q<br>
> >>>> �?<br>
> >>>> ==> /var/log/secure <==<br>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]:
pam_sss(sshd:account): Access<br>
> >>>> denied for user admin: 4 (System error)<br>
><br>
> > What state is your SELinux in?
Permissive/Enforcing/Disabled ?</span><br>
Another fail on my part. Works fine in permissive mode.<br>
<br>
AVC denials listed below..<br>
<br>
type=AVC msg=audit(1361788146.020:28315): avc: denied { read }
for pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file<br>
type=AVC msg=audit(1361788146.020:28315): avc: denied { open }
for pid=2271 comm="sshd" name="passwd" dev=dm-0 ino=914246
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file<br>
type=AVC msg=audit(1361788146.020:28316): avc: denied { getattr }
for pid=2271 comm="sshd" path="/var/lib/sss/mc/passwd" dev=dm-0
ino=914246 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file<br>
type=AVC msg=audit(1361788155.330:28318): avc: denied { read }
for pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788155.330:28318): avc: denied { open }
for pid=2275 comm="krb5_child" name="config" dev=dm-0 ino=392854
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788155.330:28319): avc: denied { getattr }
for pid=2275 comm="krb5_child" path="/etc/selinux/config" dev=dm-0
ino=392854 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788156.367:28321): avc: denied { write }
for pid=1380 comm="sssd_pam" name="logins" dev=dm-0 ino=392943
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir<br>
type=AVC msg=audit(1361788156.367:28321): avc: denied { add_name }
for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir<br>
type=AVC msg=audit(1361788156.367:28321): avc: denied { create }
for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788156.367:28321): avc: denied { write }
for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788156.367:28322): avc: denied {
remove_name } for pid=1380 comm="sssd_pam" name="adminoTfIUQ"
dev=dm-0 ino=393233 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir<br>
type=AVC msg=audit(1361788156.367:28322): avc: denied { rename }
for pid=1380 comm="sssd_pam" name="adminoTfIUQ" dev=dm-0 ino=393233
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
type=AVC msg=audit(1361788156.367:28322): avc: denied { unlink }
for pid=1380 comm="sssd_pam" name="admin" dev=dm-0 ino=392951
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file<br>
<br>
<span style="white-space: pre;">><br>
> >>>> Feb 23 22:10:08 workstation02 sshd[2419]:
Failed password for admin from<br>
> >>>> 10.0.1.254 port 55554 ssh2<br>
> >>>> Feb 23 22:10:08 workstation02 sshd[2421]:
fatal: Access denied for user<br>
> >>>> admin by PAM account configuration<br>
> >>>><br>
> >>>> ==> /var/log/Xorg.0.log <==<br>
> >>>> [ 604.308] AUDIT: Sat Feb 23 22:12:10 2013:
1908: client 17 connected<br>
> >>>> from local host ( uid=42 gid=42 pid=1958 )<br>
> >>>> Auth name: MIT-MAGIC-COOKIE-1 ID: 284<br>
> >>>> [ 604.312] AUDIT: Sat Feb 23 22:12:10 2013:
1908: client 17 disconnected<br>
> >>>><br>
> >>>> ==> /var/log/messages <==<br>
> >>>> Feb 23 22:12:45 workstation02 ntpd[2359]:
synchronized to LOCAL(0),<br>
> >>>> stratum 5<br>
> >>>> Feb 23 22:13:48 workstation02 ntpd[2359]:
synchronized to 10.0.1.12,<br>
> >>>> stratum 11<br>
> >>>><br>
> >>>><br>
> >>>> interactive shell output as follows<br>
> >>>><br>
> >>>> [mac@rhodey ~]$ ssh <a class="moz-txt-link-abbreviated" href="mailto:admin@10.0.1.102">admin@10.0.1.102</a><br>
> >>>> <a class="moz-txt-link-abbreviated" href="mailto:admin@10.0.1.102">admin@10.0.1.102</a>'s password:<br>
> >>>> Your password will expire in 89 day(s).<br>
> >>>> Connection closed by 10.0.1.102<br>
> >>>> [mac@rhodey ~]$<br>
> >>>><br>
> >>>><br>
> >>>> Am I doing something rather trivially wrong
or is there something fishy<br>
> >>>> going on here?<br>
> >>>><br>
> >>>> Thanks in advance.<br>
> >>><br>
> >>> I'd check your HBAC configuration.<br>
> >>><br>
> >>> rob<br>
> >>><br>
> That is actually the very first thing I did. As it is a 100%
clean<br>
> installation of IPA, plus the addition of one user and one
IPA replica.<br>
><br>
> all users are granted access to all hosts.<br>
><br>
> [root@ds01 ~]# ipa hbacrule-find<br>
> -------------------<br>
> 1 HBAC rule matched<br>
> -------------------<br>
> Rule name: allow_all<br>
> User category: all<br>
> Host category: all<br>
> Source host category: all<br>
> Service category: all<br>
> Description: Allow all users to access any host from any host<br>
> Enabled: TRUE<br>
> ----------------------------<br>
> Number of entries returned 1<br>
> ----------------------------<br>
> [root@ds01 ~]#<br>
><br>
><br>
><br>
>><br>
>> _______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJRKz1MAAoJEAJsWS61tB+q5VoP/3Jre49XLeb00rUvfri+Ud9j<br>
c9GmrzAHH66Bckp2y/htaD23tnFraD94VSjwg485iCosqzuYDAd3U/+LXP3rjC92<br>
Xt5rMBRJ3XAL7O32c9Z8FKPAeTCM+fR/UyjkKxGJaLaGeASnAZjg2Xek28z+jUuT<br>
4+ITBMZWDdnhf34wpFeHL8FrhIq+oLYo3j5GKAH7YZn/XJnrs4gNH/pLBlnuegJQ<br>
ukiouadZOQRo2AZb/jxW4LoUWl3pCorQah1dPyL0PaOuhSYQ4v29NdIdsDBLC1nK<br>
U8V1TU+W59tyBfiMNwFYhxJ0IOvWYmIQY+oZNNzyo5+/tlqUlyGqpsgXmyoo7h1R<br>
WoInBit4JotJyC/ynVraJBUjSiHcJsiTSBCdfnvzRPHiJhaldDfe7+iIDATBweMg<br>
5e3nskIjGyqPTAWkUiFcp1Xv7ch2RKEq51dg4qhf7OAEwhOX7HkudIY50jD51CXW<br>
X08vBqHzH3ViVBhsehZRzE73+B83RyaYOQaULgU8/GxAAH9r79/WFCA1H2Fl7fLE<br>
PYTDlebyyRM2qlDxu2AXiwAo7DqdT9OMShmjiMcSoZAnSSdUfmCAwOgV9Yg5YKy9<br>
3e3GYWtyhOKGmVagO18/WR5ZkR9Ei+Cb5Bs44oyfrY17l2PRiDLZj4Doeu4nhbOu<br>
3ugSBDfo6+3DziJjP1sT<br>
=EXH/<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>