On (26/08/15 17:00), l(a)avc.su wrote:
Hi all.
I've enrolled linux machine into domain using this tutorial:
http://jhrozek.livejournal.com/3581.html
Now I can connect to linux machine with kerberos ticket from linux machine,
or Windows machine. But I can't login using password anymore.
Although I can obtain user info, can request TGT, and operate on this server
normally, I can't login to it with pwd.
I've ran 'authconfig --enablesssd --enablesssdauth --enablemkhomedir
--update', so all auth should be done in SSSD. I haven't configured winbind
with sssd.
I've managed to workaround it by adding to /etc/pam.d/system-auth this line:
auth sufficient pam_krb5.so
But this seems like wrong way to do it. Very wrong and dirty way. Or maybe
I'm wrong?
I want to use SSSD as a service for id and auth, with AD as backend.
Here's what debug4 says:
[[sssd[krb5_child[7974]]]] [privileged_krb5_setup] (0x0080): Cannot open the
PAC responder socket
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[7974]]]] [set_canonicalize_option] (0x0100):
SSSD_KRB5_CANONICALIZE is set to [true]
(service pings)
[[sssd[krb5_child[7974]]]] [sss_send_pac] (0x0040): sss_pac_make_request
failed [-1][2].
[[sssd[krb5_child[7974]]]] [validate_tgt] (0x0040): sss_send_pac failed,
group membership for user with principal
[ssh-username\@DOMAIN.LOCAL(a)DOMAIN.LOCAL] might not be correct.
Previous error
messages are not critical.
We just print an error message if pac responder does not run.
[[sssd[krb5_child[7974]]]] [create_ccache] (0x0020): 590:
[13][Permission
denied]
Here is a problem. The error occured on line 590 and it is really
unexpected. The initialisation of krb5_context failed (krb5_init_context)
We can also see the reason: Permission denied.
I cannot explain why. I added krb5 experts to CC.
BTW you mentioned you have disabled SELinux.
Could you change it to permissive and try one more time?
LS