Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415167
Description of problem: When pam_sss.so is used in IPA-enrolled unprivileged docker container to control access to services via HBAC, the pam_acct_mgmt fails. Version-Release number of selected component (if applicable): On the host: kernel-3.10.0-514.el7.x86_64 selinux-policy-3.13.1-102.el7.noarch In the container: libselinux-2.5-6.el7.x86_64 libselinux-utils-2.5-6.el7.x86_64 libselinux-python-2.5-6.el7.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. On RHEL machine, git clone https://pagure.io/webauthinfra.git ; cd webauthinfra 2. apply patch diff --git a/src/Dockerfile.www b/src/Dockerfile.www index 4d0d1d9..143e75c 100644 --- a/src/Dockerfile.www +++ b/src/Dockerfile.www @@ -1,5 +1,5 @@ -FROM fedora:24 -RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_interc +FROM rhel7 +RUN yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsi COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/ RUN chmod a+x /usr/sbin/init-data /usr/sbin/ipa-client-enroll /usr/sbin/ipsilon-client-configure /usr/sbin/populate-data-volume /usr/s COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd diff --git a/src/www-mod_wsgi-gssapi.conf b/src/www-mod_wsgi-gssapi.conf index 77cf2cc..e3f586d 100644 --- a/src/www-mod_wsgi-gssapi.conf +++ b/src/www-mod_wsgi-gssapi.conf @@ -43,7 +43,7 @@ LoadModule lookup_identity_module modules/mod_lookup_identity.so InterceptFormPAMService webapp InterceptFormLogin username InterceptFormPassword password - InterceptGETOnSuccess on + # InterceptGETOnSuccess on LookupOutput env LookupUserAttr mail REMOTE_USER_EMAIL " " diff --git a/src/www-proxy-gssapi.conf b/src/www-proxy-gssapi.conf index efea3ce..f9f61e6 100644 --- a/src/www-proxy-gssapi.conf +++ b/src/www-proxy-gssapi.conf @@ -31,7 +31,7 @@ LoadModule lookup_identity_module modules/mod_lookup_identity.so InterceptFormPAMService webapp InterceptFormLogin username InterceptFormPassword password - InterceptGETOnSuccess on + # InterceptGETOnSuccess on LookupOutput headers LookupUserAttr mail X-REMOTE-USER-EMAIL " " 3. Enroll the RHEL host. 4. docker pull freeipa/freeipa-server:fedora-24 ; docker tag freeipa/freeipa-server:fedora-24 freeipa-server 5. Install docker-compose, for example via curl -L https://github.com/docker/compose/releases/download/1.10.0/docker-compo se-`uname -s`-`uname -m` > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose 6. docker-compose build 7. docker-compose up 8. Wait until the output shows client_1 | Usage: client_1 | ssh -X -i client-data/id_rsa -p 55022 developer@localhost firefox -no-remote client_1 | To kinit, in the browser started with ^^^ visit http://localhost/ client_1 | or execute client_1 | cat ipa-data/admin-password | ssh -i client-data/id_rsa -p 55022 developer@localhost kinit admin 9. cat ipa-data/admin-password | docker exec -i webauthinfra_client_1 kinit admin 10. docker exec -ti webauthinfra_client_1 curl -si --negotiate -u : https://www.example.test/login/ Actual results: HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:47:20 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:47:20 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkXo3+6SrWGyKnWk5shxakGTSeb42vQ Q+XIvIUeUGGBkwfkLVUE5ko4ui5zi4Uigubo7EeH/+TqSYbuut92ijBoAuTxJNBjytX3e6PgItoF1wr wfLaFmxCD037BbG2zgUyeqWyQNgpI07zLR9SPpE Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/login/?noext=1"><body>Kerberos authentication did not pass.</body></html> When debug_level is set to 6 in webauthinfra_www_1 container in /etc/sssd/sssd.conf and sssd restarted, sssd logs show ==> /var/log/sssd/selinux_child.log <== (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): selinux_child started. (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): context initialized (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): performing selinux operations (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [get_seuser] (0x0020): Cannot create SELinux handle (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [set_seuser] (0x0020): Cannot init SELinux management (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020): Cannot set SELinux login context. (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020): selinux_child failed! ==> /var/log/sssd/sssd_example.test.log <== (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [selinux_child_done] (0x0020): selinux_child_parse_response failed: [22][Invalid argument] (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_done] (0x0400): DP Request [PAM SELinux #3]: Request handler finished [0]: Success (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [_dp_req_recv] (0x0400): DP Request [PAM SELinux #3]: Receiving request data. (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #3]: Request removed. (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [child_sig_handler] (0x0020): child [1201] failed with status [1]. ==> /var/log/sssd/sssd_pam.log <== (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][example.test] (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29 (Fri Jan 20 12:49:50 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! Expected results: HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:51:07 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 302 Found Date: Fri, 20 Jan 2017 12:51:08 GMT Server: WSGIServer/0.1 Python/2.7.12 WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvb+C80tVteOSSJCA9Ao8jCCvFAqe6Wa 0uqey7u90j8Iz+V/Jx5ubMVypvP9SvIpT/DPya0Jhngo06JH+ND5RwkBSpEYHlm3jZZo/lJYKKo/qJr ZlzvH9T5ZQGOykR9c4axUHxD2X+Vcmvrl6xXKd7 Vary: Cookie X-Frame-Options: SAMEORIGIN Content-Type: text/html; charset=utf-8 Location: / Set-Cookie: csrftoken=T6M3M78mg0AYVi6qGg8IvCx8jln3SOt9BmVhox2wvGA3i34X13jre5pa6JCW7Mpr; expires=Fri, 19-Jan-2018 12:51:08 GMT; Max-Age=31449600; Path=/ Set-Cookie: sessionid=nusfx73ibstzjjtzqod1lwy1a949lc9t; expires=Fri, 03-Feb-2017 12:51:08 GMT; httponly; Max-Age=1209600; Path=/ Transfer-Encoding: chunked Additional info: The expected output can be achieved by setting selinux_provider = none in [domain/*] section of /etc/sssd/sssd.conf in webauthinfra_www_1 container.
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => mzidek patch: => 0 review: True => 0 selected: => testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.15.2
Metadata Update from @jhrozek: - Issue assigned to mzidek - Issue set to the milestone: SSSD 1.15.2
Metadata Update from @jhrozek: - Custom field design_review reset - Custom field mark reset - Custom field patch reset - Custom field review reset - Custom field sensitive reset - Custom field testsupdated reset - Issue close_status updated to: None - Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)
master:
sssd-1-14:
sssd-1-13:
Metadata Update from @lslebodn: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field patch reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false)
Metadata Update from @lslebodn: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field patch reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false) - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4330
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.