Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-26876: What is the Expected .k5login Security Context?

Authentication Service ,  

4 February,20 at 11:17 PM

Question: What is the expected .k5login security context?

Answer: The expected .k5login security context should be:

 
[tetsu@test-cent76-64 ~]$ ls -lZ .k5login
-rw-------. tetsu adusers unconfined_u:object_r:krb5_home_t:s0 .k5login

To test if the security context could be the issue:
  1. Run ls -lZ .k5login on the system, if it does not match as above, then chances are the security context is wrong (You need to run that ls -lZ .k5login in the users home directory).
  2. Look in audit.log file; an example of a bad security context is:
      type=AVC msg=audit(1580135645.525:34549): avc:  denied  { read } for  pid=78601 comm="sshd" name=".k5login" dev="dm-2" ino=134427554 
      scontext=system_u:system_r:sshd_t:s0- s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0

The key in that message is an AVC denial.

A way to get around/test is to set SELinux to permissive and then test the login. To set SELinux to permissive:

setenforce permissive

And to check the policy:

getenforce

This should return Permissive if SELinux is not enabled.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.