We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3297
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415167
Description of problem: When pam_sss.so is used in IPA-enrolled unprivileged docker container to control access to services via HBAC, the pam_acct_mgmt fails. Version-Release number of selected component (if applicable): On the host: kernel-3.10.0-514.el7.x86_64 selinux-policy-3.13.1-102.el7.noarch In the container: libselinux-2.5-6.el7.x86_64 libselinux-utils-2.5-6.el7.x86_64 libselinux-python-2.5-6.el7.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. On RHEL machine, git clone https://pagure.io/webauthinfra.git ; cd webauthinfra 2. apply patch diff --git a/src/Dockerfile.www b/src/Dockerfile.www index 4d0d1d9..143e75c 100644 --- a/src/Dockerfile.www +++ b/src/Dockerfile.www @@ -1,5 +1,5 @@ -FROM fedora:24 -RUN dnf install -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsilon-saml2 httpd mod_ssl mod_auth_gssapi mod_interc +FROM rhel7 +RUN yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y /usr/sbin/ipa-client-install /usr/bin/ipsilon-client-install ipsi COPY init-data ipa-client-enroll ipsilon-client-configure populate-data-volume www-setup-apache /usr/sbin/ RUN chmod a+x /usr/sbin/init-data /usr/sbin/ipa-client-enroll /usr/sbin/ipsilon-client-configure /usr/sbin/populate-data-volume /usr/s COPY ipa-client-enroll.service ipsilon-client-configure.service populate-data-volume.service www-setup-apache.service /usr/lib/systemd diff --git a/src/www-mod_wsgi-gssapi.conf b/src/www-mod_wsgi-gssapi.conf index 77cf2cc..e3f586d 100644 --- a/src/www-mod_wsgi-gssapi.conf +++ b/src/www-mod_wsgi-gssapi.conf @@ -43,7 +43,7 @@ LoadModule lookup_identity_module modules/mod_lookup_identity.so InterceptFormPAMService webapp InterceptFormLogin username InterceptFormPassword password - InterceptGETOnSuccess on + # InterceptGETOnSuccess on LookupOutput env LookupUserAttr mail REMOTE_USER_EMAIL " " diff --git a/src/www-proxy-gssapi.conf b/src/www-proxy-gssapi.conf index efea3ce..f9f61e6 100644 --- a/src/www-proxy-gssapi.conf +++ b/src/www-proxy-gssapi.conf @@ -31,7 +31,7 @@ LoadModule lookup_identity_module modules/mod_lookup_identity.so InterceptFormPAMService webapp InterceptFormLogin username InterceptFormPassword password - InterceptGETOnSuccess on + # InterceptGETOnSuccess on LookupOutput headers LookupUserAttr mail X-REMOTE-USER-EMAIL " " 3. Enroll the RHEL host. 4. docker pull freeipa/freeipa-server:fedora-24 ; docker tag freeipa/freeipa-server:fedora-24 freeipa-server 5. Install docker-compose, for example via curl -L https://github.com/docker/compose/releases/download/1.10.0/docker-compo se-`uname -s`-`uname -m` > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose 6. docker-compose build 7. docker-compose up 8. Wait until the output shows client_1 | Usage: client_1 | ssh -X -i client-data/id_rsa -p 55022 developer@localhost firefox -no-remote client_1 | To kinit, in the browser started with ^^^ visit http://localhost/ client_1 | or execute client_1 | cat ipa-data/admin-password | ssh -i client-data/id_rsa -p 55022 developer@localhost kinit admin 9. cat ipa-data/admin-password | docker exec -i webauthinfra_client_1 kinit admin 10. docker exec -ti webauthinfra_client_1 curl -si --negotiate -u : https://www.example.test/login/ Actual results: HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:47:20 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:47:20 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkXo3+6SrWGyKnWk5shxakGTSeb42vQ Q+XIvIUeUGGBkwfkLVUE5ko4ui5zi4Uigubo7EeH/+TqSYbuut92ijBoAuTxJNBjytX3e6PgItoF1wr wfLaFmxCD037BbG2zgUyeqWyQNgpI07zLR9SPpE Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/login/?noext=1"><body>Kerberos authentication did not pass.</body></html> When debug_level is set to 6 in webauthinfra_www_1 container in /etc/sssd/sssd.conf and sssd restarted, sssd logs show ==> /var/log/sssd/selinux_child.log <== (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): selinux_child started. (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): context initialized (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0400): performing selinux operations (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [get_seuser] (0x0020): Cannot create SELinux handle (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [sss_semanage_init] (0x0020): SELinux policy not managed (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [set_seuser] (0x0020): Cannot init SELinux management (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020): Cannot set SELinux login context. (Fri Jan 20 12:49:50 2017) [[sssd[selinux_child[1201]]]] [main] (0x0020): selinux_child failed! ==> /var/log/sssd/sssd_example.test.log <== (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [selinux_child_done] (0x0020): selinux_child_parse_response failed: [22][Invalid argument] (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_done] (0x0400): DP Request [PAM SELinux #3]: Request handler finished [0]: Success (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [_dp_req_recv] (0x0400): DP Request [PAM SELinux #3]: Receiving request data. (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #3]: Request removed. (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Jan 20 12:49:50 2017) [sssd[be[example.test]]] [child_sig_handler] (0x0020): child [1201] failed with status [1]. ==> /var/log/sssd/sssd_pam.log <== (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][example.test] (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Fri Jan 20 12:49:50 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 29 (Fri Jan 20 12:49:50 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! Expected results: HTTP/1.1 401 Unauthorized Date: Fri, 20 Jan 2017 12:51:07 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0 mod_wsgi/3.4 Python/2.7.5 WWW-Authenticate: Negotiate Content-Length: 123 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 302 Found Date: Fri, 20 Jan 2017 12:51:08 GMT Server: WSGIServer/0.1 Python/2.7.12 WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhki G9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvb+C80tVteOSSJCA9Ao8jCCvFAqe6Wa 0uqey7u90j8Iz+V/Jx5ubMVypvP9SvIpT/DPya0Jhngo06JH+ND5RwkBSpEYHlm3jZZo/lJYKKo/qJr ZlzvH9T5ZQGOykR9c4axUHxD2X+Vcmvrl6xXKd7 Vary: Cookie X-Frame-Options: SAMEORIGIN Content-Type: text/html; charset=utf-8 Location: / Set-Cookie: csrftoken=T6M3M78mg0AYVi6qGg8IvCx8jln3SOt9BmVhox2wvGA3i34X13jre5pa6JCW7Mpr; expires=Fri, 19-Jan-2018 12:51:08 GMT; Max-Age=31449600; Path=/ Set-Cookie: sessionid=nusfx73ibstzjjtzqod1lwy1a949lc9t; expires=Fri, 03-Feb-2017 12:51:08 GMT; httponly; Max-Age=1209600; Path=/ Transfer-Encoding: chunked Additional info: The expected output can be achieved by setting selinux_provider = none in [domain/*] section of /etc/sssd/sssd.conf in webauthinfra_www_1 container.
Comment from jhrozek at 2017-02-03 10:31:35
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => mzidek patch: => 0 review: True => 0 selected: => testsupdated: => 0
Comment from jhrozek at 2017-02-10 10:11:04
milestone: NEEDS_TRIAGE => SSSD 1.15.2
Comment from jhrozek at 2017-02-24 15:03:13
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-03-15 10:11:08
Comment from lslebodn at 2017-04-06 14:03:03
master:
sssd-1-14:
sssd-1-13:
Comment from lslebodn at 2017-04-06 14:03:05
Metadata Update from @lslebodn:
Comment from lslebodn at 2017-04-06 14:03:30
The text was updated successfully, but these errors were encountered:
mzidek-gh
No branches or pull requests
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3297
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1415167
Comments
Comment from jhrozek at 2017-02-03 10:31:35
Fields changed
blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
patch: => 0
review: True => 0
selected: =>
testsupdated: => 0
Comment from jhrozek at 2017-02-10 10:11:04
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.15.2
Comment from jhrozek at 2017-02-24 15:03:13
Metadata Update from @jhrozek:
Comment from jhrozek at 2017-03-15 10:11:08
Metadata Update from @jhrozek:
Comment from lslebodn at 2017-04-06 14:03:03
master:
sssd-1-14:
sssd-1-13:
Comment from lslebodn at 2017-04-06 14:03:05
Metadata Update from @lslebodn:
Comment from lslebodn at 2017-04-06 14:03:30
Metadata Update from @lslebodn:
The text was updated successfully, but these errors were encountered: