[Pkg-sssd-devel] Bug#633095: Acknowledgement (sssd: fails to authenticate against AD and produces a "system error")
Moritz Roehrich
moritzr at pool.math.tu-berlin.de
Fri Feb 10 07:47:14 UTC 2017
Hi, Wolfgang
I have had the same error and digging deeper into it revealed that there
was a problem with the way sssd handles kerberos caches if you have
configured kerberos to use per-user cache directories instead of files
or keyrings.
The reason the kerberos caches break is that sssd creates the
directories without executable-bit set. Kinit will not have this
problem since it creates the cache-directory correctly.
You will find the setting I am talking about in the krb5.conf:
default_ccache_name = DIR:/tmp/%{uid}_krb5cc
Changin it to "FILE:/tmp/%{uid}_krb5cc" will work. But it not a nice
solution to this problem.
For reference: This is the patch that broke my setup:
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=ae627e216689b0a5834f36aaaa007ed584ef033d
Looking into your cache location (/tmp in my case) you will see something like:
drw------- 2 motesta stud 4096 Feb 10 08:17 15149_krb5cc
instead of:
drwx------ 2 motesta stud 4096 Feb 10 08:17 15149_krb5cc
Since I need to use per-user cache directories, I solved this by
patching sssd.
Sincerely,
Moritz
-------------- next part --------------
[sssd]
config_file_version = 2
services = nss,pam,autofs
domains = default
[nss]
[pam]
[domain/default]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = POOL.MATH.TU-BERLIN.DE
krb5_server = kdc1-pool.math.tu-berlin.de
krb5_backup_server = kdc2-pool.math.tu-berlin.de
krb5_validate = False
krb5_renewable_lifetime = 1d
krb5_lifetime = 1d
krb5_kpasswd = kdc1-pool.math.tu-berlin.de
ldap_uri = ldap://ldap1-pool.math.tu-berlin.de:389
ldap_backup_uri = ldap://ldap2-pool.math.tu-berlin.de:389
ldap_search_base = dc=pool,dc=math,dc=tu-berlin,dc=de
ldap_sasl_mech = gssapi
# Nur Server sollen Auflisten k?nnen
enumerate = true
# unixPoolAccountLocked: true => Account darf sich nicht einloggen
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = rhds
ldap_ns_account_lock = unixPoolAccountLocked
debug_level = 3
autofs_provider=ldap
ldap_autofs_search_base=ou=Autofs,dc=pool,dc=math,dc=tu-berlin,dc=de
ldap_autofs_map_object_class=nisMap
ldap_autofs_entry_object_class=nisObject
ldap_autofs_map_name=nisMapName
ldap_autofs_entry_key=cn
ldap_autofs_entry_value=nisMapEntry
[autofs]
-------------- next part --------------
[libdefaults]
default_realm = POOL.MATH.TU-BERLIN.DE
forwardable = true
default_ccache_name = DIR:/tmp/%{uid}_krb5cc
[realms]
POOL.MATH.TU-BERLIN.DE = {
kdc = kdc1-pool.math.tu-berlin.de
kdc = kdc2-pool.math.tu-berlin.de
admin_server = kdc1-pool.math.tu-berlin.de
}
MATH.TU-BERLIN.DER = {
kdc = kdc1.math.tu-berlin.de
kdc = kdc2.math.tu-berlin.de
admin_server = kdc1.math.tu-berlin.de
}
TU-BERLIN.DE = {
kdc = kerberos-1.tu-berlin.de
kdc = kerberos-2.tu-berlin.de
admin_server = kerberos-1.tu-berlin.de
}
More information about the Pkg-sssd-devel
mailing list