Lukas Slebodnik писал 2015-08-27 10:20:
On (27/08/15 09:41), l@avc.su wrote:
Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server ... Here's what debug4 says: ... [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
Hi Lukas. Thank you for the hint, I've found the cause. My krb5.conf had 600 permissions. I've updated to 644 accordingly this thread: http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946 Now everything seems to work fine. I'll look through the logs more closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7. I don't know, should it be noted as bug or not, but I can file a report.
The main question is that which process created krb5.conf which such wrong permissions.
If it was caused by command line utility please file a bug.
LS
I'm afraid it was caused by me. I'm deploying this configuration with Ansible, and set permissions explictly. I didn't knew krb5.conf should be world-readable. I thought since sssd crashes when sssd.conf is not in 600, it also checks configs it relies. Maybe, it could be a feature request?