On (27/08/15 08:29), Simo Sorce wrote:
On Thu, 2015-08-27 at 08:07 +0200, Lukas Slebodnik wrote:
> On (26/08/15 17:00), l(a)avc.su wrote:
> >Hi all.
> >I've enrolled linux machine into domain using this tutorial:
> >http://jhrozek.livejournal.com/3581.html
> >
> >Now I can connect to linux machine with kerberos ticket from linux machine,
> >or Windows machine. But I can't login using password anymore.
> >Although I can obtain user info, can request TGT, and operate on this server
> >normally, I can't login to it with pwd.
> >I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
> >--update', so all auth should be done in SSSD. I haven't configured
winbind
> >with sssd.
> >I've managed to workaround it by adding to /etc/pam.d/system-auth this line:
> >auth sufficient pam_krb5.so
> >
> >But this seems like wrong way to do it. Very wrong and dirty way. Or maybe
> >I'm wrong?
> >I want to use SSSD as a service for id and auth, with AD as backend.
> >
> >
> >Here's what debug4 says:
> >[[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the
> >PAC responder socket
> >[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
> >[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> >[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
> >[SSSD_KRB5_LIFETIME] from environment.
> >[[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100):
> >SSSD_KRB5_CANONICALIZE is set to [true]
> >(service pings)
> >[[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request
> >failed [-1][2].
> >[[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed,
> >group membership for user with principal
> >[ssh-username\@DOMAIN.LOCAL(a)DOMAIN.LOCAL] might not be correct.
> Previous error messages are not critical.
> We just print an error message if pac responder does not run.
>
> >[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590: [13][Permission
> >denied]
> Here is a problem. The error occured on line 590 and it is really
> unexpected. The initialisation of krb5_context failed (krb5_init_context)
>
> We can also see the reason: Permission denied.
> I cannot explain why. I added krb5 experts to CC.
No access to krb5.conf ?
Yes, see
https://lists.fedorahosted.org/pipermail/sssd-users/2015-August/003393.html
:-)
LS