Bug 1016638 - gnome desktop login of ipa user fails with error "unable to open session"
Summary: gnome desktop login of ipa user fails with error "unable to open session"
Keywords:
Status: CLOSED DUPLICATE of bug 887193
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.5
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-08 13:01 UTC by Kaleem
Modified: 2013-11-04 15:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
IdM server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the IdM based on custom rules. However, the default configured SELinux user (guest_u:s0) used when no custom rule matches is too constraining. An IdM user authenticating to Red Hat Enterprise Linux 6.5 can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the IdM server from guest_u:s0 to a more relaxed value unconfined_u:s0-s0:c0.c1023: kinit admin ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 An unconfined SELinux user will be now assigned to the IdM user by default, which will allow the user to successfully authenticate through graphical interface.
Clone Of:
Environment:
Last Closed: 2013-10-09 14:48:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
log file (4.15 KB, text/plain)
2013-10-08 13:01 UTC, Kaleem 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kaleem 2013-10-08 13:01:13 UTC 
Created attachment 809266 [details]
log file

Description of problem:
Gnome login of ipa user fails with error "unable to open session"

/var/log/secure log shows that authentication is successful.

Setup is as follows:

RHEL-65 IPA Client ---- RHEL-63 IPA Server

Version-Release number of selected component (if applicable):

[root@65client ~]# rpm -q ipa-client selinux-policy gnome-desktop
ipa-client-3.0.0-37.el6.i686
selinux-policy-3.7.19-218.el6.noarch
gnome-desktop-2.28.2-11.el6.i686
[root@65client ~]#

How reproducible:
Always

Steps to Reproduce:
1. Install a RHEL-65 ipa client with a RHEL-63 ipa server
2. Add a user on IPA server
3. Try gnome desktop login with user created in step 2 on IPA client machine

Actual results:
Gnome desktop login failed with error message "unable to open session"

Expected results:
Gnome desktop login should be successfull

Additional info:
1. Please find the attached log file which is having content from /var/log/secure and /var/log/audit/audit.log files.
Comment 2 Martin Kosek 2013-10-09 11:43:48 UTC 
I think is just too strict SELinux user role assigned by SSSD. You can check the settings on 6.3 IPA server:

# ipa config-show 
...
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
...

I bet there will be "guest_u:s0" value. This is too restrictive default. IIRC, we fixed the default in RHEL-6.4.

If you change it to "unconfined_u:s0-s0:c0.c1023", you should be able to log in again. There should be a Known Issue and KB article for that.
Comment 3 Martin Kosek 2013-10-09 12:02:24 UTC 
This is the RHEL 6.4 bug with documentation: Bug 887193. I would just close it as duplicate of it.
Comment 4 Daniel Walsh 2013-10-09 14:48:47 UTC 

*** This bug has been marked as a duplicate of bug 887193 ***
Note You need to log in before you can comment on or make changes to this bug.