Lukas Slebodnik писал 2015-08-27 09:07:
On (26/08/15 17:00), l(a)avc.su wrote:
> Hi all.
> I've enrolled linux machine into domain using this tutorial:
>
http://jhrozek.livejournal.com/3581.html
>
> Now I can connect to linux machine with kerberos ticket from linux
> machine,
> or Windows machine. But I can't login using password anymore.
> Although I can obtain user info, can request TGT, and operate on this
> server
> normally, I can't login to it with pwd.
> I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
> --update', so all auth should be done in SSSD. I haven't configured
> winbind
> with sssd.
> I've managed to workaround it by adding to /etc/pam.d/system-auth this
> line:
> auth sufficient pam_krb5.so
>
> But this seems like wrong way to do it. Very wrong and dirty way. Or
> maybe
> I'm wrong?
> I want to use SSSD as a service for id and auth, with AD as backend.
>
>
> Here's what debug4 says:
> ...
> [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
> [13][Permission
> denied]
Here is a problem. The error occured on line 590 and it is really
unexpected. The initialisation of krb5_context failed
(krb5_init_context)
We can also see the reason: Permission denied.
I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux.
Could you change it to permissive and try one more time?
LS
Hi Lukas.
Thank you for the hint, I've found the cause.
My krb5.conf had 600 permissions. I've updated to 644 accordingly this
thread:
http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946
Now everything seems to work fine. I'll look through the logs more
closely later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7.
I don't know, should it be noted as bug or not, but I can file a report.
Thank you :)