The attached trace file in this mail has trace in which it is asking for
password.
Let me know if this is helpful
Thanks
On Wed, Nov 16, 2011 at 7:49 PM, Nitesh Mehare <nitesh26(a)gmail.com> wrote:
Thanks Jakub for looking into the issue..
According to your suggesstion I have modified my system-auth file..Now my
current config looks like this...
*
bash-3.2# cat /etc/pam.d/system-auth*
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
/lib64/security/pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient /lib64/security/pam_sss.so use_authtok
password required pam_deny.so
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
#session optional pam_keyinit.so revoke
#session required pam_limits.so
#session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
#session sufficient /lib64/security/pam_sss.so
#session required pam_unix.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use _uid
session required pam_unix.so
session optional pam_sss.so
bash-3.2#
After this I have restarted the sssd processs using the cmd *service sssd
restart*
Then I tried the authentication with strace su - nitback1 which gave the
output.which is in the attached file .
But this did not prompt me for any password it stopped at the below like
*rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0
wait4(-1, $*
Tha above trace I have take with selinux is disabled.The setting of
selinux is as follows
*bash-3.2# cat /etc/selinux/config*
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
bash-3.2#
I'm not sure how to check for AVC denials when selinux is set to
enforcing.Could you tell me how to do that.
Thanks...
On Wed, Nov 16, 2011 at 7:25 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Tue, Nov 15, 2011 at 05:24:08PM +0530, Nitesh Mehare wrote:
> > is that the output which is expected in the trace.
> > Something missing in the trace which suggest any config problem???
> >
> > On Tue, Nov 15, 2011 at 5:22 PM, Nitesh Mehare <nitesh26(a)gmail.com>
> wrote:
> >
> > This is the output of strace for the user which is in ldap server.
> >
> > bash-3.2# strace -e open su - nitback1
> > open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> > open("/lib64/libpam.so.0", O_RDONLY)A A A = 3
> > open("/lib64/libpam_misc.so.0", O_RDONLY) = 3
> > open("/lib64/libcrypt.so.1", O_RDONLY)A = 3
> > open("/lib64/libdl.so.2", O_RDONLY)A A A A = 3
> > open("/lib64/libc.so.6", O_RDONLY)A A A A A = 3
> > open("/lib64/libaudit.so.0", O_RDONLY)A = 3
> > open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
> > open("/etc/nsswitch.conf", O_RDONLY)A A A = 3
> > open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> > open("/lib64/libnss_files.so.2", O_RDONLY) = 3
> > open("/etc/passwd", O_RDONLY)A A A A A A A A A A = 3
> > open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> > open("/lib64/libnss_sss.so.2", O_RDONLY) = 3
> > open("/etc/pam.d/su-l", O_RDONLY)A A A A A A = 4
> > open("/etc/pam.d/su", O_RDONLY)A A A A A A A A = 5
> > open("/lib64/security/pam_rootok.so", O_RDONLY) = 6
> > open("/etc/ld.so.cache", O_RDONLY)A A A A A = 6
> > open("/lib64/libselinux.so.1", O_RDONLY) = 6
> > open("/lib64/libsepol.so.1", O_RDONLY)A = 6
> > open("/etc/selinux/config", O_RDONLY)A A = 6
> > open("/proc/mounts", O_RDONLY)A A A A A A A A A = 6
> > open("/etc/pam.d/system-auth", O_RDONLY) = 6
> > open("/lib64/security/pam_env.so", O_RDONLY) = 7
> > open("/lib64/security/pam_unix.so", O_RDONLY) = 7
> > open("/etc/ld.so.cache", O_RDONLY)A A A A A = 7
> > open("/usr/lib64/libcrack.so.2", O_RDONLY) = 7
> > open("/lib64/libnsl.so.1", O_RDONLY)A A A = 7
> > open("/lib64/security/pam_succeed_if.so", O_RDONLY) = 7
> > open("/lib64/security/pam_sss.so", O_RDONLY) = 7
>
> So it seems pam_sss is found ^^^^
>
> I have one suggestion as per the system-auth PAM config, I think the
> session is not correct, authconfig configures the PAM stack like this:
> ---
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
> ---
>
> Can you check two more things for me? Can you look if you get any AVC
> denials provided SELinux is set to enforcing (or retry with setenforce 0
> set for that test).
>
> Also, can you send the whole strace output? IOW, run:
> strace su - nitback1
> ideally as non-root so you're prompted for password
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/sssd-devel
>