On (26/08/15 17:00), l@avc.su wrote:
Hi all. I've enrolled linux machine into domain using this tutorial: http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine, or Windows machine. But I can't login using password anymore. Although I can obtain user info, can request TGT, and operate on this server normally, I can't login to it with pwd. I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir --update', so all auth should be done in SSSD. I haven't configured winbind with sssd. I've managed to workaround it by adding to /etc/pam.d/system-auth this line: auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe I'm wrong? I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says: [[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. [[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (service pings) [[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. [[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [ssh-username@DOMAIN.LOCAL@DOMAIN.LOCAL] might not be correct.
Previous error messages are not critical. We just print an error message if pac responder does not run.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission denied]
Here is a problem. The error occured on line 590 and it is really unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied. I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux. Could you change it to permissive and try one more time?
LS