The attached trace file in this mail has trace in which it is asking for password.
Let me know if this is helpful
Thanks
Thanks Jakub for looking into the issue..
According to your suggesstion I have modified my system-auth file..Now my current config looks like this...#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
bash-3.2# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_sss.so use_authtok
password required pam_deny.so
#session optional pam_keyinit.so revoke
#session required pam_limits.so
#session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session sufficient /lib64/security/pam_sss.so
#session required pam_unix.sobash-3.2#
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use _uid
session required pam_unix.so
session optional pam_sss.so
After this I have restarted the sssd processs using the cmd service sssd restart
Then I tried the authentication with strace su - nitback1 which gave the output.which is in the attached file .
But this did not prompt me for any password it stopped at the below like
rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0
wait4(-1, $
Tha above trace I have take with selinux is disabled.The setting of selinux is as follows
bash-3.2# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
bash-3.2#
I'm not sure how to check for AVC denials when selinux is set to enforcing.Could you tell me how to do that.
Thanks...
On Wed, Nov 16, 2011 at 7:25 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:On Tue, Nov 15, 2011 at 05:24:08PM +0530, Nitesh Mehare wrote:> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> is that the output which is expected in the trace.
> Something missing in the trace which suggest any config problem???
>
> On Tue, Nov 15, 2011 at 5:22 PM, Nitesh Mehare <nitesh26@gmail.com> wrote:
>
> This is the output of strace for the user which is in ldap server.
>
> bash-3.2# strace -e open su - nitback1
> open("/lib64/libpam.so.0", O_RDONLY)A A A = 3
> open("/lib64/libpam_misc.so.0", O_RDONLY) = 3> open("/lib64/libcrypt.so.1", O_RDONLY)A = 3
> open("/lib64/libdl.so.2", O_RDONLY)A A A A = 3
> open("/lib64/libc.so.6", O_RDONLY)A A A A A = 3
> open("/lib64/libaudit.so.0", O_RDONLY)A = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3> open("/etc/nsswitch.conf", O_RDONLY)A A A = 3
> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> open("/lib64/libnss_files.so.2", O_RDONLY) = 3> open("/etc/passwd", O_RDONLY)A A A A A A A A A A = 3
> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> open("/lib64/libnss_sss.so.2", O_RDONLY) = 3> open("/etc/pam.d/su-l", O_RDONLY)A A A A A A = 4
> open("/etc/pam.d/su", O_RDONLY)A A A A A A A A = 5
> open("/lib64/security/pam_rootok.so", O_RDONLY) = 6> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 6
> open("/lib64/libselinux.so.1", O_RDONLY) = 6> open("/lib64/libsepol.so.1", O_RDONLY)A = 6
> open("/etc/selinux/config", O_RDONLY)A A = 6
> open("/proc/mounts", O_RDONLY)A A A A A A A A A = 6
> open("/etc/pam.d/system-auth", O_RDONLY) = 6> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 7
> open("/lib64/security/pam_env.so", O_RDONLY) = 7
> open("/lib64/security/pam_unix.so", O_RDONLY) = 7
> open("/usr/lib64/libcrack.so.2", O_RDONLY) = 7> open("/lib64/libnsl.so.1", O_RDONLY)A A A = 7
> open("/lib64/security/pam_succeed_if.so", O_RDONLY) = 7So it seems pam_sss is found ^^^^
> open("/lib64/security/pam_sss.so", O_RDONLY) = 7
I have one suggestion as per the system-auth PAM config, I think the
session is not correct, authconfig configures the PAM stack like this:
---
session optional pam_keyinit.so revokesession optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so
session optional pam_sss.so
---
Can you check two more things for me? Can you look if you get any AVC
denials provided SELinux is set to enforcing (or retry with setenforce 0
set for that test).
Also, can you send the whole strace output? IOW, run:
strace su - nitback1
ideally as non-root so you're prompted for password
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel