First Last Prev Next    This bug is not in your last search results.
Bug 1263251 - Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]
Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission...
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Čech
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-15 08:23 EDT by Sudhir Menon
Modified: 2015-10-29 05:51 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-29 05:30:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sudhir Menon 2015-09-15 08:23:14 EDT 
Description of problem: Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]


Version-Release number of selected component (if applicable): 7.2


How reproducible: Always


Steps to Reproduce:
1. Ensure IPA server is installed on RHEL7.2
2. Ensure trust is established with Win2K8 R2.
3. systemctl stop sssd.service
4. In the [sssd] section in /etc/sssd/sssd.conf file add the below
[sssd]
user = sssd
5. systemctl start sssd.service
6. Now try logging as the ADuser from the AD Windows Box.

Actual results:

1. since sssd service is now running as user 'sssd' the ownership of all the below log files have been changed to sssd.sssd which is correct behaviour

[root@ipa01 sssd]# ls -l | grep sssd_nss
-rw-------. 1 sssd sssd  9814824 Sep 15 17:21 sssd_nss.log
[root@ipa01 sssd]# ls -l | grep sssd_pam
-rw-------. 1 sssd sssd  4137528 Sep 15 17:21 sssd_pam.log
[root@ipa01 sssd]# ls -l | grep sssd_ssh
-rw-------. 1 sssd sssd  4204027 Sep 15 17:21 sssd_ssh.log
[root@ipa01 sssd]# ls -l | grep sssd_pac
-rw-------. 1 sssd sssd  4090200 Sep 15 17:21 sssd_pac.log
[root@ipa01 sssd]# ls -l | grep sssd_sudo
-rw-------. 1 sssd sssd  4615010 Sep 15 17:21 sssd_sudo.log

2. The ownership of keytab file in /var/lib/sss/keytabs directory also changes to sssd.sssd which is correct behaviour

drwx------. 2 sssd sssd   50 Sep 15 17:45 keytabs
[root@ipa01 keytabs]# ls -l
total 8
-rw-------. 1 sssd sssd 177 Sep 15 17:45 test.in.keytab


3. The ownership of the below files remains root.root and doesn't change to sssd:sssd

-rw-------. 1 root root    57108 Sep 15 17:20 krb5_child.log
-rw-------. 1 root root    36022 Sep 15 17:16 ldap_child.log
-rw-------. 1 root root        0 Aug 24 14:59 selinux_child.log

4.The AD user gets logged in successfully, but there is a message displayed on the IPA-server console.

[smenon@ipa01 log]$  Message from syslogd@ipa01 at Sep 15 17:47:41 ...
 sssd[be[labs01.test]]:Could not open file [/var/log/sssd/selinux_child.log]. Error: [13][Permission denied]

Expected results: The ownership of the log files should be changed to sssd:sssd when sssd service is running as 'sssd' and root:root vice versa.

Additional info:
Comment 2 Petr Vobornik 2015-09-15 10:14:02 EDT 
Doesn't look like something IPA controls, changing component.
Comment 3 Jakub Hrozek 2015-09-21 05:17:53 EDT 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2797
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.