Hello, I've done a fresh install of a Centos7 container and the problem was seen again. The lxc build installed the files as described within the enclosed txt file.
For versions:
# yum --showduplicates list ipa-client ipa-client-common ipa-common
python2-ipalib python2-ipaclient
Installed Packages
ipa-client.x86_64
4.4.0-14.el7.centos.4
@updates
ipa-client-common.noarch
4.4.0-14.el7.centos.4
@updates
ipa-common.noarch
4.4.0-14.el7.centos.4
@updates
python2-ipaclient.noarch
4.4.0-14.el7.centos.4
@updates
python2-ipalib.noarch
4.4.0-14.el7.centos.4
@updates
Available Packages
ipa-client.x86_64
4.4.0-12.el7.centos
base
ipa-client.x86_64
4.4.0-14.el7.centos
updates
ipa-client.x86_64
4.4.0-14.el7.centos.1.1
updates
ipa-client.x86_64
4.4.0-14.el7.centos.4
updates
ipa-client-common.noarch
4.4.0-12.el7.centos
base
ipa-client-common.noarch
4.4.0-14.el7.centos
updates
ipa-client-common.noarch
4.4.0-14.el7.centos.1.1
updates
ipa-client-common.noarch
4.4.0-14.el7.centos.4
updates
ipa-common.noarch
4.4.0-12.el7.centos
base
ipa-common.noarch
4.4.0-14.el7.centos
updates
ipa-common.noarch
4.4.0-14.el7.centos.1.1
updates
ipa-common.noarch
4.4.0-14.el7.centos.4
updates
python2-ipaclient.noarch
4.4.0-12.el7.centos
base
python2-ipaclient.noarch
4.4.0-14.el7.centos
updates
python2-ipaclient.noarch
4.4.0-14.el7.centos.1.1
updates
python2-ipaclient.noarch
4.4.0-14.el7.centos.4
updates
python2-ipalib.noarch
4.4.0-12.el7.centos
base
python2-ipalib.noarch
4.4.0-14.el7.centos
updates
python2-ipalib.noarch
4.4.0-14.el7.centos.1.1
updates
python2-ipalib.noarch
First downgrade:
# yum downgrade ipa-client ipa-client-common ipa-common python2-ipalib
python2-ipaclient
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.4 ipa-client-common.noarch
0:4.4.0-14.el7.centos.4 ipa-common.noarch 0:4.4.0-14.el7.centos.4
python2-ipaclient.noarch 0:4.4.0-14.el7.centos.4
python2-ipalib.noarch 0:4.4.0-14.el7.centos.4
Installed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.1.1 ipa-client-common.noarch
0:4.4.0-14.el7.centos.1.1 ipa-common.noarch 0:4.4.0-14.el7.centos.1.1
python2-ipaclient.noarch 0:4.4.0-14.el7.centos.1.1
python2-ipalib.noarch 0:4.4.0-14.el7.centos.1.1
Problem still present.
Second downgrade:
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos.1.1 ipa-client-common.noarch
0:4.4.0-14.el7.centos.1.1 ipa-common.noarch 0:4.4.0-14.el7.centos.1.1
python2-ipaclient.noarch 0:4.4.0-14.el7.centos.1.1
python2-ipalib.noarch 0:4.4.0-14.el7.centos.1.1
Installed:
ipa-client.x86_64 0:4.4.0-14.el7.centos ipa-client-common.noarch
0:4.4.0-14.el7.centos ipa-common.noarch 0:4.4.0-14.el7.centos
python2-ipaclient.noarch 0:4.4.0-14.el7.centos
python2-ipalib.noarch 0:4.4.0-14.el7.centos
Problem still present.
Third downgrade:
Removed:
ipa-client.x86_64 0:4.4.0-14.el7.centos ipa-client-common.noarch
0:4.4.0-14.el7.centos ipa-common.noarch 0:4.4.0-14.el7.centos
python2-ipaclient.noarch 0:4.4.0-14.el7.centos
python2-ipalib.noarch 0:4.4.0-14.el7.centos
Installed:
ipa-client.x86_64 0:4.4.0-12.el7.centos ipa-client-common.noarch
0:4.4.0-12.el7.centos ipa-common.noarch 0:4.4.0-12.el7.centos
python2-ipaclient.noarch 0:4.4.0-12.el7.centos
python2-ipalib.noarch 0:4.4.0-12.el7.centos
Problem still present.
There is not any downgrade available on repo to go lower.
The error is still the same. It would appear to be outside of the ipa package
range.
Feb 15 11:05:38 ipatest sshd[231]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.6 user=nuno
Feb 15 11:05:39 ipatest sshd[231]: pam_sss(sshd:account): Access denied for
user nuno: 4 (System error)
Feb 15 11:05:39 ipatest sshd[229]: error: PAM: User account has expired for
nuno from 172.16.0.6
Feb 15 11:05:42 ipatest sshd[229]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.6 user=nuno
Feb 15 11:05:42 ipatest sshd[229]: Failed password for nuno from 172.16.0.6
port 54450 ssh2
Feb 15 11:05:42 ipatest sshd[229]: fatal: Access denied for user nuno by PAM
account configuration [preauth]
I tried to downgrade sssd but was unable to for lack of dependencies.
Thanks.
Nuno
-----Original Message-----
From: Lukas Slebodnik [mailto:[email protected]]
Sent: quarta-feira, 15 de fevereiro de 2017 09:16
To: Nuno Higgs
Cc: [email protected]
Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container
On (14/02/17 20:06), Nuno Higgs wrote:
>Hello all,
>
>I will reproduce the issue tomorrow morning on a fresh LXC container.
>For the sestatus:
>
># sestatus
>SELinux status: disabled
>
>That isn’t surprising for the host is not se-enabled, or even a RHEL/CentOS.
>The underlining distro supports apparmor profiles.
FYI: It is not about distribution but about kernel.
>The crappy part is before we did this patch update, everything worked
>perfectly, although with SE Disabled.
>
>I will keep you posted on the LXC test
>
It would be good to find out which package/update broke it.
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
