Bug 1194302
| Summary: | With empty ipaselinuxusermapdefault security context on client is staff_u | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Kosek <mkosek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.7 | CC: | grajaiya, jgalipea, jhrozek, kbanerje, lmiksik, lslebodn, mkosek, mvarun, mzidek, nsoman, pbrezina, preichl, rcritten, sgoveas |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.12.4-7.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed
|
Story Points: | --- |
| Clone Of: | 1192314 | Environment: | |
| Last Closed: | 2015-07-22 06:43:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1192314, 1198480 | ||
| Bug Blocks: | |||
|
Comment 3
Martin Kosek
2015-03-04 09:58:17 UTC
* master: 01f78f755fde63997ccfded71fb8395569b11430 * sssd-1-12: 90efb3c2a48146d7b6cc81fe8422e9024144402a Verified in version
sssd-1.12.4-25.el6.x86_64
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ LOG ] :: ipa_trust_func_selinuxusermap_master_008_setup: AD user associated with empty selinuxusermap on Master
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ BEGIN ] :: Running 'kdestroy -A'
:: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'echo Secret123 | kinit admin'
Password for admin:
:: [ PASS ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'ipa config-mod --ipaselinuxusermapdefault='
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: slnx2k12r2.test
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=SLNX2K12R2.TEST
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
:: [ PASS ] :: Command 'ipa config-mod --ipaselinuxusermapdefault=' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'ipa config-show > /tmp/tmpout.txt 2>&1'
:: [ PASS ] :: Command 'ipa config-show > /tmp/tmpout.txt 2>&1' (Expected 0, got 0)
:: [ PASS ] :: File '/tmp/tmpout.txt' should not contain 'Default SELinux user'
:: [ BEGIN ] :: Running 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start''
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
:: [ PASS ] :: Command 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start'' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start''
Stopping sssd: [ OK ]
Starting sssd: [ OK ]
:: [ PASS ] :: Command 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start'' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start''
Stopping sssd: [ OK ]
Starting sssd: [ OK ]
:: [ PASS ] :: Command 'ssh -o StrictHostKeyChecking=no root.test 'service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start'' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'sleep 10'
:: [ PASS ] :: Command 'sleep 10' (Expected 0, got 0)
:: [ 18:28:12 ] :: Running remotehost-sync-set -s '75.' -m ipaqavmf.idmqe.lab.eng.bos.redhat.com
:: [ BEGIN ] :: Running 'remotehost-sync-set -s '75.' -m ipaqavmf.idmqe.lab.eng.bos.redhat.com'
remotehost-sync-set -s 75. -m ipaqavmf.idmqe.lab.eng.bos.redhat.com
root 22993 13317 0 16:32 ? 00:00:02 python -m SimpleHTTPServer 8907
:: [ PASS ] :: Command 'remotehost-sync-set -s '75.' -m ipaqavmf.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0)
'0b3577b5-6d4d-42da-939f-ca2eb6fe0a03'
ipa-trust-func-selinuxusermap-master-008-setup-AD-user-associated-with-empty-selinuxusermap-on-Master result: PASS
metric: 0
Log: /var/tmp/beakerlib-29737519/journal.txt
Info: Searching AVC errors produced since 1428964068.98 (Mon Apr 13 18:27:48 2015)
Searching logs...
Info: No AVC messages found.
Writing to /mnt/testarea/tmp.XoTKtp
:
AvcLog: /mnt/testarea/tmp.XoTKtp
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ LOG ] :: ipa_trust_func_selinuxusermap_client1_008: AD user associated with empty selinuxusermap on Master
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ BEGIN ] :: Running 'kdestroy -A'
:: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'echo Secret123 | kinit admin'
Password for admin:
:: [ PASS ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'getent -s sss passwd au104131712'
au104131712:*:346202185:346202185:au104131712:/home/ipaad2012r2.test/au104131712:
:: [ PASS ] :: Command 'getent -s sss passwd au104131712' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'sleep 10'
:: [ PASS ] :: Command 'sleep 10' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'verify_ssh_auth_success_selinuxuser au104131712 Secret123 ipaqavmf.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for au104131712
:: [ BEGIN ] :: Running 'cat /tmp/tmpfile.out'
spawn ssh -l au104131712 ipaqavmf.slnx2k12r2.test id -Z
au104131712@ipaqavmf.slnx2k12r2.test's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Command 'cat /tmp/tmpfile.out' (Expected 0, got 0)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Command 'verify_ssh_auth_success_selinuxuser au104131712 Secret123 ipaqavmf.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'verify_ssh_auth_success_selinuxuser au104131712 Secret123 ipaqa64vmc.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for au104131712
:: [ BEGIN ] :: Running 'cat /tmp/tmpfile.out'
spawn ssh -l au104131712 ipaqa64vmc.slnx2k12r2.test id -Z
au104131712@ipaqa64vmc.slnx2k12r2.test's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Command 'cat /tmp/tmpfile.out' (Expected 0, got 0)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Command 'verify_ssh_auth_success_selinuxuser au104131712 Secret123 ipaqa64vmc.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'getent -s sss passwd au204131712'
au204131712:*:346202186:346202186:au204131712:/home/ipaad2012r2.test/au204131712:
:: [ PASS ] :: Command 'getent -s sss passwd au204131712' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'sleep 10'
:: [ PASS ] :: Command 'sleep 10' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'verify_ssh_auth_success_selinuxuser au204131712 Secret123 ipaqa64vmc.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for au204131712
:: [ BEGIN ] :: Running 'cat /tmp/tmpfile.out'
spawn ssh -l au204131712 ipaqa64vmc.slnx2k12r2.test id -Z
au204131712@ipaqa64vmc.slnx2k12r2.test's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Command 'cat /tmp/tmpfile.out' (Expected 0, got 0)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Command 'verify_ssh_auth_success_selinuxuser au204131712 Secret123 ipaqa64vmc.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023' (Expected 0, got 0)
:: [ BEGIN ] :: Running 'verify_ssh_auth_success_selinuxuser au204131712 Secret123 ipaqavmf.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023'
:: [ PASS ] :: Authentication successful for au204131712
:: [ BEGIN ] :: Running 'cat /tmp/tmpfile.out'
spawn ssh -l au204131712 ipaqavmf.slnx2k12r2.test id -Z
au204131712@ipaqavmf.slnx2k12r2.test's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Command 'cat /tmp/tmpfile.out' (Expected 0, got 0)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
:: [ PASS ] :: Selinuxuser unconfined_u:.*s0-s0:c0.c1023 as expected
:: [ PASS ] :: Command 'verify_ssh_auth_success_selinuxuser au204131712 Secret123 ipaqavmf.slnx2k12r2.test unconfined_u:.*s0-s0:c0.c1023' (Expected 0, got 0)
:: [ 18:30:24 ] :: Running remotehost-sync-set -s '77.' -m ivanova.idmqe.lab.eng.bos.redhat.com
:: [ BEGIN ] :: Running 'remotehost-sync-set -s '77.' -m ivanova.idmqe.lab.eng.bos.redhat.com'
remotehost-sync-set -s 77. -m ivanova.idmqe.lab.eng.bos.redhat.com
root 9247 8779 0 16:26 ? 00:00:03 python -m SimpleHTTPServer 8907
:: [ PASS ] :: Command 'remotehost-sync-set -s '77.' -m ivanova.idmqe.lab.eng.bos.redhat.com' (Expected 0, got 0)
'1c461cc5-8da6-4066-af33-364f496bbabe'
ipa-trust-func-selinuxusermap-client1-008-AD-user-associated-with-empty-selinuxusermap-on-Master result: PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1448.html |