Bug 284581 - SELinux prevents automatic addition of machine accounts in a Samba PDC
SELinux prevents automatic addition of machine accounts in a Samba PDC
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-09-10 09:50 EDT by Markku Kolkka
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-10 14:28:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVC messages from audit.log (13.14 KB, text/plain)
2007-09-10 09:50 EDT, Markku Kolkka
no flags Details

  None (edit)
Description Markku Kolkka 2007-09-10 09:50:55 EDT
+++ This bug was initially created as a clone of Bug #229466 +++

Description of problem:
The Fedora machine is set up as a Samba PDC, but trying to join a Windows
machine in the domain fails if SELinux is in enforcing mode, the samba log shows
that machine account creation failed. In permissive mode joining succeeds, but
with a large number of SELinux alerts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup Samba as a primary domain controller
2. Log in a Windows machine and try to join the domain created in step 1.
Actual results:
The machine account isn't created and joining fails.

Expected results:
The Windows macine is added to the domain and a machine account created.

Additional info:
Changed our Samba PDC from Fedora 6 to CentOS 5, and the SELinux problems from
bug #229466 re-appeared. I'm attaching the AVC messages generated when joining a
machine with SELinux in permissive mode.
Comment 1 Markku Kolkka 2007-09-10 09:50:55 EDT
Created attachment 191661 [details]
AVC messages from audit.log
Comment 2 Daniel Walsh 2007-09-10 14:28:45 EDT
Fixed in u1 selinux-policy-2.4.6-89

Currently a preview is available on ftp://people.redhat.com/dwalsh/SELinux/RHEL5

You need to turn on the samba_domain_controller boolean

setsebool -P samba_domain_controller=1

Note You need to log in before you can comment on or make changes to this bug.