This is part #2 of my issues regarding selinux where a restore of my filesystem was somehow not getting all of the selinux attributes correct. Fortunately, my frontpage extenstions still work and for some reason the LDAP/Kerberos setup is now broke. Further problems reveal that my LDAP and Kerberos setup for SASL is no longer working. Ugh. I spent many weeks fighting this, got it working, and now it is broken again. I do recall that I used a manual setseboot command to disable selinux for kerberos/ldap but I cannot recall what I did, exactly but I tried: setsebool -P kadmind_disable_trans 1 setsebool -P krb5kdc_disable_trans 1 But this apparently does not solve my issue... Please note that I ran my LDAP testing program with selinux=0 (disabled) at boot and everything runs without errors. My LDAP program breaks only when selinux is active. Under selinux, LDAP with no authenication, with SSL, and with SSL via TLS works fine. It is now SASL that is broken. This problem existed with FC4 with the original scripts starting the LDAP server, so I used a modified script to get SASL back to working and this problem/issue was not resolved or revisited in bugzilla as it supposedly was to be researched/resolved on by someone. It appears that slapd is trying to access /etc/krb5.conf file and perhaps selinux refuses to allow it. I disabled the selinux in the security-policies gui on my system but this does not seem to have any effect. Can anyone shed some light on this? Anyway, here is what I ran and the audit results: ############################# SASL auth, no encryption ############################# ldapsearch -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Resource temporarily unavailable) DEBUG VERSION ============== ldapsearch -d 1 -H ldap://ldap.cdkkt.com/ -b dc=cdkkt,dc=com ldap_create ldap_url_parse_ext(ldap://ldap.cdkkt.com/) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldap.cdkkt.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 216.99.218.205:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_flush: 64 bytes to sd 3 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: ldap.cdkkt.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 19 11:49:43 2005 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ber_get_next: tag 0x30 len 46 contents: ldap_read: message type search-entry msgid 1, original id 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: ldap.cdkkt.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 19 11:49:43 2005 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: * msgid 1, type 100 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: ldap_read: message type search-result msgid 1, original id 1 ber_scanf fmt ({iaa) ber: read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 adding response id 1 type 101: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt ([v]) ber: ldap_msgfree ldap_sasl_interactive_bind_s: server supports: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_int_sasl_open: host=sysb.cdkkt.com SASL/GSSAPI authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_flush: 556 bytes to sd 3 ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: ldap.cdkkt.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 19 11:49:43 2005 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ber_get_next ber_get_next: tag 0x30 len 109 contents: ldap_read: message type bind msgid 2, original id 2 ber_scanf fmt ({iaa) ber: read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({iaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Resource temporarily unavailable) Results of /var/log/audit/audit.log: ==================================== type=AVC msg=audit(1135018595.351:2889): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.351:2889): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.351:2889): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.351:2889): cwd="/root" type=PATH msg=audit(1135018595.351:2889): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135018595.359:2890): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.359:2890): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6011d4c a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.359:2890): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.359:2890): cwd="/root" type=PATH msg=audit(1135018595.359:2890): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135018595.363:2891): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.363:2891): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.363:2891): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.363:2891): cwd="/root" type=PATH msg=audit(1135018595.363:2891): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135018595.363:2892): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.363:2892): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013cbc a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.363:2892): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.363:2892): cwd="/root" type=PATH msg=audit(1135018595.363:2892): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135018595.363:2893): avc: denied { lock } for pid=25974 comm="slapd" name="ldap.keytab" dev=hda2 ino=1214046 scontext=root:system_r:slapd_t tcontext=system_u:object_r:etc_t tclass=file type=SYSCALL msg=audit(1135018595.363:2893): arch=40000003 syscall=221 success=no exit=-13 a0=e a1=e a2=b6015d34 a3=b6015d34 items=0 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.363:2893): path="/etc/openldap/ldap.keytab" type=AVC msg=audit(1135018595.363:2894): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.363:2894): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.363:2894): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.363:2894): cwd="/root" type=PATH msg=audit(1135018595.363:2894): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135018595.363:2895): avc: denied { getattr } for pid=25974 comm="slapd" name="krb5.conf" dev=hda2 ino=1213967 scontext=root:system_r:slapd_t tcontext=system_u:object_r:krb5_conf_t tclass=file type=SYSCALL msg=audit(1135018595.363:2895): arch=40000003 syscall=195 success=no exit=-13 a0=8d1d848 a1=b6013dcc a2=52aff4 a3=43a70263 items=1 pid=25974 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" type=AVC_PATH msg=audit(1135018595.363:2895): path="/etc/krb5.conf" type=CWD msg=audit(1135018595.363:2895): cwd="/root" type=PATH msg=audit(1135018595.363:2895): item=0 name="/etc/krb5.conf" flags=1 inode=1213967 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1135018639.854:2896): user pid=3406 uid=0 auid=4294967295 msg='PAM authentication: user= exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Authentication failure)' type=USER_AUTH msg=audit(1135018648.270:2897): user pid=3406 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=USER_ACCT msg=audit(1135018648.274:2898): user pid=3406 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=CRED_ACQ msg=audit(1135018648.302:2899): user pid=3406 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' type=USER_START msg=audit(1135018648.306:2900): user pid=3406 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)' Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
