Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-26876: What is the Expected .k5login Security Context?

Authentication Service ,  

4 February,20 at 11:17 PM

Question: What is the expected .k5login security context?

Answer: The expected .k5login security context should be:
  
[tetsu@test-cent76-64 ~]$ ls -lZ .k5login
-rw-------. tetsu adusers unconfined_u:object_r:krb5_home_t:s0 .k5login

To test if the security context could be the issue:
  1. Run ls -lZ .k5login on the system, if it does not match as above, then chances are the security context is wrong (You need to run that ls -lZ .k5login in the users home directory).
  2. Look in audit.log file; an example of a bad security context is:
      type=AVC msg=audit(1580135645.525:34549): avc:  denied  { read } for  pid=78601 comm="sshd" name=".k5login" dev="dm-2" ino=134427554 
      scontext=system_u:system_r:sshd_t:s0- s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0

The key in that message is an AVC denial.

A way to get around/test is to set SELinux to permissive and then test the login. To set SELinux to permissive:

setenforce permissive

And to check the policy:

getenforce

This should return Permissive if SELinux is not enabled.

Related Articles

 article[Security Corner] Centrify and the Microsoft Enhanced Security Administrative Environment (1/3) articleKB-16388: What are the recommend settings for SSO regarding .k5login file in an environment where home directories are NFS mounted? articleKB-3925: How to add Centrify parameter to a group policy article[Security Corner] The Sarbanes-Oxley Act and Centrify Server Suite article[Security Corner] Reviewing your Access and Privilege Management Model with Centrify tools (2/4) articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-10414: What is the expected behavior for deactivating Mac machine? articleKB-7069: SAP GUI SSO does not work when time zone redirection GP is enabled articleMistakes to avoid when using privilege elevation