[Pkg-sssd-devel] Bug#857362: sssd: Authentication fails with System Error 4

Moritz Roehrich moritzr at pool.math.tu-berlin.de
Fri Mar 10 14:08:06 UTC 2017 

Package: sssd
Version: 1.11.7-3
Severity: important
Tags: upstream

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***

I am using Kerberos, LDAP and sssd to authenticate user logins on my computers.
The current sssd version with jessie (1.11.7-3) works fine, however the version
supplied with stretch (1.15.0-3) does not. Neither on stretch or on jessie. Or
any other version above 1.14.0.
I have configured Kerberos to use a directory as cache:

  [...]
  [libdefaults]
    default_ccache_name = DIR:/tmp/%{uid}_krb5cc
  [...]

Upon requesting a ticket with kinit everything is ok. However if I login with a
user that has not held a ticket before on that particular machine, I receive
"authentication failed" and digging deeper into the systemlogs revealed that
there is a problem in the sssd_krb5_child: it creates the specified cache
directory without executable permissions and therefore can not access it to
store the ticket.
There is this discussion from the mailing list when the change was made:
https://lists.fedorahosted.org/pipermail/sssd-devel/2015-October/025313.html
However somehow the problem persists.
When looking at the directory created by sssd, I see

  drw-------  2 moritzr  wheel 4.0K Mar 10 14:25 7193_krb5cc

when there should be

  drwx------  2 moritzr  wheel 4.0K Mar 10 14:25 7193_krb5cc

as is the case with said older versions of sssd or a direct call to kinit.
Reverting the changes made to the umask in in version 1.14.0 resolves the
problem.

I hope I have explained the problem clear enough. If you need more information,
I can set up a 'broken' system again and tell you.



-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sssd depends on:
ii  python-sss   1.11.7-3
ii  sssd-ad      1.11.7-3
ii  sssd-common  1.11.7-3
ii  sssd-ipa     1.11.7-3
ii  sssd-krb5    1.11.7-3
ii  sssd-ldap    1.11.7-3
ii  sssd-proxy   1.11.7-3

sssd recommends no packages.

sssd suggests no packages.

-- no debconf information

More information about the Pkg-sssd-devel mailing list