On (27/08/15 09:41), l@avc.su wrote:
Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS
Hi Lukas. Thank you for the hint, I've found the cause. My krb5.conf had 600 permissions. I've updated to 644 accordingly this thread: http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946 Now everything seems to work fine. I'll look through the logs more closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7. I don't know, should it be noted as bug or not, but I can file a report.
The main question is that which process created krb5.conf which such wrong permissions.
If it was caused by command line utility please file a bug.
LS