Issue #6669: Cannot login after patching on LXC Centos Container - freeipa

freeipa

#6669 Cannot login after patching on LXC Centos Container

Closed: Duplicate None Opened 7 years ago by nunohiggs.

After patching I've found that i can’t login into a IPA client service

Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for user nuno 4 (System error)
Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno from 172.16.0.10 port 54461 ssh2
Feb 13 19:42:07 lxc1 sshd[1536]: fatal: Access denied for user nuno by PAM account configuration [preauth]
Feb 13 19:43:42 lxc1 sshd[1553]: Connection closed by 172.16.3.253 [preauth]
Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.3.253 user=nuno
Feb 13 19:53:04 lxc1 sshd[1635]: pam_sss(sshd:account): Access denied for user nuno: 4 (System error)
Feb 13 19:53:04 lxc1 sshd[1632]: error: PAM: User account has expired for nuno from 172.16.3.253

Before the patching I was able to login without any issue with this user.
The user or password are not expired, and continue to work perfectly on other systems Centos7 without the patch.
This only appears on LXC systems. I’ve tried to install a fresh centos7 on KVM and it works perfectly.

I’ve done a fresh LXC deployment, and the issue remains.

The workaround I found is to comment out the following line on /etc/pam.d/password-auth:

#account     [default=bad success=ok user_unknown=ignore] pam_sss.so

Without this line I am able to login perfectly.

The versions are on the client side:

Centos7
python2-ipalib-4.4.0-14.el7.centos.4.noarch
sssd-ipa-1.14.0-43.el7_3.11.x86_64
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.14.0-43.el7_3.11.x86_64
ipa-common-4.4.0-14.el7.centos.4.noarch
ipa-client-common-4.4.0-14.el7.centos.4.noarch
python2-ipaclient-4.4.0-14.el7.centos.4.noarch
libipa_hbac-1.14.0-43.el7_3.11.x86_64
ipa-client-4.4.0-14.el7.centos.4.x86_64
ipa-python-compat-4.4.0-14.el7.centos.4.noarch
python-ipaddress-1.0.16-2.el7.noarch

On the IPA server:

Centos7
python-libipa_hbac-1.14.0-43.el7_3.4.x86_64
python-iniparse-0.4-9.el7.noarch
sssd-ipa-1.14.0-43.el7_3.4.x86_64
ipa-client-4.4.0-14.el7.centos.x86_64
ipa-admintools-4.4.0-14.el7.centos.noarch
ipa-server-4.4.0-14.el7.centos.x86_64
ipa-client-common-4.4.0-14.el7.centos.noarch
python-ipaddress-1.0.16-2.el7.noarch
python2-ipaclient-4.4.0-14.el7.centos.noarch
python2-ipaserver-4.4.0-14.el7.centos.noarch
python2-ipalib-4.4.0-14.el7.centos.noarch
ipa-server-common-4.4.0-14.el7.centos.noarch
ipa-server-dns-4.4.0-14.el7.centos.noarch
ipa-python-compat-4.4.0-14.el7.centos.noarch
libipa_hbac-1.14.0-43.el7_3.4.x86_64
ipa-common-4.4.0-14.el7.centos.noarch

I think it might be lxc permissions related. I am using the lxc template for Centos7:

lxc.cap.drop = sys_nice sys_pacct sys_rawio

nunohiggs commented 7 years ago

Mind that the account is neither locked nor expired.
On other Centos7 / RHEL7 I can login without any issues.

[root@ipa2 ~]# ipa user-status nuno
-----------------------
Account disabled: False
-----------------------
  Server: ipa1
  Failed logins: 0
  Last successful authentication: 20170214150453Z
  Last failed authentication: 20170213170252Z
  Time now: 2017-02-14T15:06:21Z

  Server: ipa2
  Failed logins: 0
  Last successful authentication: 20170214150047Z
  Last failed authentication: 20170214124638Z
  Time now: 2017-02-14T15:06:23Z
----------------------------
Number of entries returned 2
----------------------------

I've also enabled the sssd. There is no evidence of where the problem is:

(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno@domain.com
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:54 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 68
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'nuno' matched without domain, user is nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [nuno@domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [nuno@domain.com@domain.com]
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is nuno@domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): user: nuno@domain.com
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: 172.16.0.10
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 9475
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: nuno
(Tue Feb 14 15:11:55 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][domain.com]
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 25
(Tue Feb 14 15:11:56 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!

Also remember that this configuration works perfectly if it is a KVM but does not on a LXC.

nunohiggs commented 7 years ago

Alexander Bokovoy instructed us to use:

[domain/...]
selinux_provider = none

So the doubt is now why this just popped up now with this patch update.
Almost none of our containers hosts (and by inherence the containers) have SELINUX enabled for they are primary for testing, and they are on a secure network.

With this version of ipa-client, the host has to have SE enabled for the container to inherit the definitions and policies of it?

nunohiggs commented 7 years ago

Metadata Update from @nunohiggs:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

0.0 NEEDS_TRIAGE

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#6669 Cannot login after patching on LXC Centos Container Closed: Duplicate None Opened 7 years ago by nunohiggs.

Metadata

#6669 Cannot login after patching on LXC Centos Container

Closed: Duplicate None Opened 7 years ago by nunohiggs.