Thanks Jakub for looking into the issue..
According to your suggesstion I have modified my system-auth file..Now my current config looks like this...#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
bash-3.2# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib64/security/pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib64/security/pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib64/security/pam_sss.so use_authtok
password required pam_deny.so
#session optional pam_keyinit.so revoke
#session required pam_limits.so
#session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session sufficient /lib64/security/pam_sss.so
#session required pam_unix.sobash-3.2#
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use _uid
session required pam_unix.so
session optional pam_sss.so
After this I have restarted the sssd processs using the cmd service sssd restart
Then I tried the authentication with strace su - nitback1 which gave the output.which is in the attached file .
But this did not prompt me for any password it stopped at the below like
rt_sigprocmask(SIG_UNBLOCK, [ALRM TERM], NULL, 8) = 0
wait4(-1, $
Tha above trace I have take with selinux is disabled.The setting of selinux is as follows
bash-3.2# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
bash-3.2#
I'm not sure how to check for AVC denials when selinux is set to enforcing.Could you tell me how to do that.
Thanks...
On Wed, Nov 16, 2011 at 7:25 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:On Tue, Nov 15, 2011 at 05:24:08PM +0530, Nitesh Mehare wrote:> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> is that the output which is expected in the trace.
> Something missing in the trace which suggest any config problem???
>
> On Tue, Nov 15, 2011 at 5:22 PM, Nitesh Mehare <nitesh26@gmail.com> wrote:
>
> This is the output of strace for the user which is in ldap server.
>
> bash-3.2# strace -e open su - nitback1
> open("/lib64/libpam.so.0", O_RDONLY)A A A = 3
> open("/lib64/libpam_misc.so.0", O_RDONLY) = 3> open("/lib64/libcrypt.so.1", O_RDONLY)A = 3
> open("/lib64/libdl.so.2", O_RDONLY)A A A A = 3
> open("/lib64/libc.so.6", O_RDONLY)A A A A A = 3
> open("/lib64/libaudit.so.0", O_RDONLY)A = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3> open("/etc/nsswitch.conf", O_RDONLY)A A A = 3
> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> open("/lib64/libnss_files.so.2", O_RDONLY) = 3> open("/etc/passwd", O_RDONLY)A A A A A A A A A A = 3
> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 3
> open("/lib64/libnss_sss.so.2", O_RDONLY) = 3> open("/etc/pam.d/su-l", O_RDONLY)A A A A A A = 4
> open("/etc/pam.d/su", O_RDONLY)A A A A A A A A = 5
> open("/lib64/security/pam_rootok.so", O_RDONLY) = 6> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 6
> open("/lib64/libselinux.so.1", O_RDONLY) = 6> open("/lib64/libsepol.so.1", O_RDONLY)A = 6
> open("/etc/selinux/config", O_RDONLY)A A = 6
> open("/proc/mounts", O_RDONLY)A A A A A A A A A = 6
> open("/etc/pam.d/system-auth", O_RDONLY) = 6> open("/etc/ld.so.cache", O_RDONLY)A A A A A = 7
> open("/lib64/security/pam_env.so", O_RDONLY) = 7
> open("/lib64/security/pam_unix.so", O_RDONLY) = 7
> open("/usr/lib64/libcrack.so.2", O_RDONLY) = 7> open("/lib64/libnsl.so.1", O_RDONLY)A A A = 7
> open("/lib64/security/pam_succeed_if.so", O_RDONLY) = 7So it seems pam_sss is found ^^^^
> open("/lib64/security/pam_sss.so", O_RDONLY) = 7
I have one suggestion as per the system-auth PAM config, I think the
session is not correct, authconfig configures the PAM stack like this:
---
session optional pam_keyinit.so revokesession optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so
session optional pam_sss.so
---
Can you check two more things for me? Can you look if you get any AVC
denials provided SELinux is set to enforcing (or retry with setenforce 0
set for that test).
Also, can you send the whole strace output? IOW, run:
strace su - nitback1
ideally as non-root so you're prompted for password
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel