On (27/08/15 09:41), l(a)avc.su wrote:
> Lukas Slebodnik писал 2015-08-27 09:07:
>> On (26/08/15 17:00), l(a)avc.su wrote:
>>> Hi all.
>>> I've enrolled linux machine into domain using this tutorial:
>>>
http://jhrozek.livejournal.com/3581.html
>>>
>>> Now I can connect to linux machine with kerberos ticket from linux
>>> machine,
>>> or Windows machine. But I can't login using password anymore.
>>> Although I can obtain user info, can request TGT, and operate on
>>> this
>>> server
>>> ...
>>> Here's what debug4 says:
>>> ...
>>> [[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
>>> [13][Permission
>>> denied]
>> Here is a problem. The error occured on line 590 and it is really
>> unexpected. The initialisation of krb5_context failed
>> (krb5_init_context)
>>
>> We can also see the reason: Permission denied.
>> I cannot explain why. I added krb5 experts to CC.
>
> Hi Lukas.
> Thank you for the hint, I've found the cause.
> My krb5.conf had 600 permissions. I've updated to 644 accordingly this
> thread:
http://comments.gmane.org/gmane.linux.redhat.sssd.user/1946
> Now everything seems to work fine. I'll look through the logs more
> closely
> later today to be sure.
>
> I'm using SSSD v.1.12.4, on CentOS 6.7.
> I don't know, should it be noted as bug or not, but I can file a
> report.
>
The main question is that which process created krb5.conf which such
wrong permissions.
If it was caused by command line utility please file a bug.
LS
I'm afraid it was caused by me. I'm deploying this configuration with
Ansible, and set permissions explictly. I didn't knew krb5.conf should
be world-readable.
I thought since sssd crashes when sssd.conf is not in 600, it also
checks configs it relies. Maybe, it could be a feature request?