Console login problems

Console login problems

[Norman Elton]

[-- Attachment #1: Type: text/plain, Size: 1506 bytes --]

I have installed RHEL5 on a test system. Local accounts (such as root) can
login without a problem. Accounts stored in an LDAP/Kerberos database
experience unpredictable behavior. They can occassionally login. More often
than not, once they hit a bash prompt, they are immediately kicked back to
the login prompt. It's like bash is crashing.

In my /var/log/secure, I see the following...

May 15 15:57:00 localhost login: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser
May 15 15:57:00 localhost login: pam_krb5[3659]: authentication succeeds for
'testuser' (testuser@KRBDOMAIN)
May 15 15:57:00 localhost login: pam_unix(login:session): session opened for
user testuser by LOGIN(uid=0)
May 15 15:57:00 localhost login: pam_selinux(login:session): Warning!  Could
not get new context for /dev/tty1, not relabeling: Invalid argument
May 15 15:57:00 localhost login: pam_selinux(login:session): usercon=(null),
prev_context=system_u:object_r:tty_device_t
May 15 15:57:00 localhost login: LOGIN ON tty1 BY testuser
May 15 15:57:00 rheltest login: pam_unix(login:session): session closed for
user testuser

Here's the bizarre part... even if I completely disable selinux and reboot,
I still get the same warning message and the symptoms reoccur.

I would think disabling selinux would make the sympton go away if it were
indeed an selinux problem.

This is only happening to LDAP/Kerberos users, and not every time. Any
thoughts?

Thanks,

Norman

[-- Attachment #2: Type: text/html, Size: 1601 bytes --]

Re: Console login problems

[Daniel J Walsh]

Norman Elton wrote:
> I have installed RHEL5 on a test system. Local accounts (such as root) 
> can login without a problem. Accounts stored in an LDAP/Kerberos 
> database experience unpredictable behavior. They can occassionally 
> login. More often than not, once they hit a bash prompt, they are 
> immediately kicked back to the login prompt. It's like bash is crashing.
>
> In my /var/log/secure, I see the following...
>
> May 15 15:57:00 localhost login: pam_unix(login:auth): authentication 
> failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser
> May 15 15:57:00 localhost login: pam_krb5[3659]: authentication 
> succeeds for 'testuser' ( testuser@KRBDOMAIN)
> May 15 15:57:00 localhost login: pam_unix(login:session): session 
> opened for user testuser by LOGIN(uid=0)
> May 15 15:57:00 localhost login: pam_selinux(login:session): Warning!  
> Could not get new context for /dev/tty1, not relabeling: Invalid argument
> May 15 15:57:00 localhost login: pam_selinux(login:session): 
> usercon=(null), prev_context=system_u:object_r:tty_device_t
> May 15 15:57:00 localhost login: LOGIN ON tty1 BY testuser
> May 15 15:57:00 rheltest login: pam_unix(login:session): session 
> closed for user testuser
>
> Here's the bizarre part... even if I completely disable selinux and 
> reboot, I still get the same warning message and the symptoms reoccur.
>
> I would think disabling selinux would make the sympton go away if it 
> were indeed an selinux problem.
>
> This is only happening to LDAP/Kerberos users, and not every time. Any 
> thoughts?
>
> Thanks,
>
> Norman
Report a bugzilla, and the pam maintainer will look at it.  I have no 
idea what is going on.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Console login problems

[Norman Elton]

[-- Attachment #1: Type: text/plain, Size: 2104 bytes --]

I have tested this with a local user with a kerberos password (ruling out
LDAP issues). Continue to have the problem. A local user with a local
password does not have a problem.

The only line in the KDC logs is:

AS_REQ (7 etypes {18 17 16 23 1 3 2}) 128.239.18.20: ISSUE: authtime
1179338559, etypes {rep=16 tkt=16 ses=16}, testuser@KRBDOMAIN for
krbtgt/KRBDOMAIN@KRBDOMAIN

This seems normal.

Any other thoughts? What would cause kerberos to kill a session?

Thanks

Norman

On 5/15/07, Norman Elton <normelton@gmail.com> wrote:
>
> I have installed RHEL5 on a test system. Local accounts (such as root) can
> login without a problem. Accounts stored in an LDAP/Kerberos database
> experience unpredictable behavior. They can occassionally login. More often
> than not, once they hit a bash prompt, they are immediately kicked back to
> the login prompt. It's like bash is crashing.
>
> In my /var/log/secure, I see the following...
>
> May 15 15:57:00 localhost login: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=testuser
> May 15 15:57:00 localhost login: pam_krb5[3659]: authentication succeeds
> for 'testuser' ( testuser@KRBDOMAIN)
> May 15 15:57:00 localhost login: pam_unix(login:session): session opened
> for user testuser by LOGIN(uid=0)
> May 15 15:57:00 localhost login: pam_selinux(login:session): Warning!
> Could not get new context for /dev/tty1, not relabeling: Invalid argument
> May 15 15:57:00 localhost login: pam_selinux(login:session):
> usercon=(null), prev_context=system_u:object_r:tty_device_t
> May 15 15:57:00 localhost login: LOGIN ON tty1 BY testuser
> May 15 15:57:00 rheltest login: pam_unix(login:session): session closed
> for user testuser
>
> Here's the bizarre part... even if I completely disable selinux and
> reboot, I still get the same warning message and the symptoms reoccur.
>
> I would think disabling selinux would make the sympton go away if it were
> indeed an selinux problem.
>
> This is only happening to LDAP/Kerberos users, and not every time. Any
> thoughts?
>
> Thanks,
>
> Norman
>

[-- Attachment #2: Type: text/html, Size: 2507 bytes --]