Lukas Slebodnik писал 2015-08-27 09:07:
>On (26/08/15 17:00), l(a)avc.su wrote:
>>Hi all.
>>I've enrolled linux machine into domain using this tutorial:
>>http://jhrozek.livejournal.com/3581.html
>>
>>Now I can connect to linux machine with kerberos ticket from linux
>>machine,
>>or Windows machine. But I can't login using password anymore.
>>Although I can obtain user info, can request TGT, and operate on this
>>server
>>normally, I can't login to it with pwd.
>>I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
>>--update', so all auth should be done in SSSD. I haven't configured
>>winbind
>>with sssd.
>>I've managed to workaround it by adding to /etc/pam.d/system-auth this
>>line:
>>auth sufficient pam_krb5.so
>>
>>But this seems like wrong way to do it. Very wrong and dirty way. Or
>>maybe
>>I'm wrong?
>>I want to use SSSD as a service for id and auth, with AD as backend.
>>
>>
>>Here's what debug4 says:
>>...
>>[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission
>>denied]
>Here is a problem. The error occured on line 590 and it is really
>unexpected. The initialisation of krb5_context failed (krb5_init_context)
>
>We can also see the reason: Permission denied.
>I cannot explain why. I added krb5 experts to CC.
>
>BTW you mentioned you have disabled SELinux.
>Could you change it to permissive and try one more time?
>
>LS
Hi Lukas.
Thank you for the hint, I've found the cause.
My krb5.conf had 600 permissions. I've updated to 644 accordingly this
thread:
http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946
Now everything seems to work fine. I'll look through the logs more closely
later today to be sure.
I'm using SSSD v.1.12.4, on CentOS 6.7.
I don't know, should it be noted as bug or not, but I can file a report.
The main question is that which process created krb5.conf which such
wrong permissions.
If it was caused by command line utility please file a bug.
LS