Description of problem: Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]
Version-Release number of selected component (if applicable): 7.2
How reproducible: Always
Steps to Reproduce:
1. Ensure IPA server is installed on RHEL7.2
2. Ensure trust is established with Win2K8 R2.
3. systemctl stop sssd.service
4. In the [sssd] section in /etc/sssd/sssd.conf file add the below
[sssd]
user = sssd
5. systemctl start sssd.service
6. Now try logging as the ADuser from the AD Windows Box.
Actual results:
1. since sssd service is now running as user 'sssd' the ownership of all the below log files have been changed to sssd.sssd which is correct behaviour
[root@ipa01 sssd]# ls -l | grep sssd_nss
-rw-------. 1 sssd sssd 9814824 Sep 15 17:21 sssd_nss.log
[root@ipa01 sssd]# ls -l | grep sssd_pam
-rw-------. 1 sssd sssd 4137528 Sep 15 17:21 sssd_pam.log
[root@ipa01 sssd]# ls -l | grep sssd_ssh
-rw-------. 1 sssd sssd 4204027 Sep 15 17:21 sssd_ssh.log
[root@ipa01 sssd]# ls -l | grep sssd_pac
-rw-------. 1 sssd sssd 4090200 Sep 15 17:21 sssd_pac.log
[root@ipa01 sssd]# ls -l | grep sssd_sudo
-rw-------. 1 sssd sssd 4615010 Sep 15 17:21 sssd_sudo.log
2. The ownership of keytab file in /var/lib/sss/keytabs directory also changes to sssd.sssd which is correct behaviour
drwx------. 2 sssd sssd 50 Sep 15 17:45 keytabs
[root@ipa01 keytabs]# ls -l
total 8
-rw-------. 1 sssd sssd 177 Sep 15 17:45 test.in.keytab
3. The ownership of the below files remains root.root and doesn't change to sssd:sssd
-rw-------. 1 root root 57108 Sep 15 17:20 krb5_child.log
-rw-------. 1 root root 36022 Sep 15 17:16 ldap_child.log
-rw-------. 1 root root 0 Aug 24 14:59 selinux_child.log
4.The AD user gets logged in successfully, but there is a message displayed on the IPA-server console.
[smenon@ipa01 log]$ Message from syslogd@ipa01 at Sep 15 17:47:41 ...
sssd[be[labs01.test]]:Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]
Expected results: The ownership of the log files should be changed to sssd:sssd when sssd service is running as 'sssd' and root:root vice versa.
Additional info: