Bug 1913284

Summary: sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
Product: Red Hat Enterprise Linux 9 Reporter: Divya Mittal <dmittal>
Component: sssdAssignee: Sumit Bose <sbose>
Status: NEW --- QA Contact: Jakub Vavra <jvavra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: apeddire, atikhono, grajaiya, jvavra, lslebodn, mzidek, pasik, pbrezina, sbose, thalman, tscherf
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-03 18:13:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2055999    

Description Divya Mittal 2021-01-06 12:46:36 UTC 
Description of problem:

When sssd is running as unprivileged user 'sssd' , Below error can be seen sssd status 

--
v 10 10:06:30 example.com sssd[be[example.com]][42908]: krb5_kt_start_seq_get failed: Permission denied
Nov 10 10:06:30 example.com sssd[be[example.com]][42908]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab
--


Version-Release number of selected component (if applicable):


How reproducible: Easily


Steps to Reproduce:
1. Add user = sssd in [sssd] section of /etc/sssd/sssd.conf
2. Restart sssd service
3. 

Actual results:

Errors in sssd service status

--
v 10 10:06:30 example.com sssd[be[example.com]][42908]: krb5_kt_start_seq_get failed: Permission denied
Nov 10 10:06:30 example.com sssd[be[example.com]][42908]: Failed to read keytab [FILE:/etc/krb5.keytab]: No suitable principal found in keytab
--

Expected results:

No such errors in sssd service status


Additional info:

Issue is resolved after changing the permissions or ACLs on /etc/krb5.keytab.
Comment 1 Sumit Bose 2021-01-06 15:04:59 UTC 
Hi,

the issue happens when SSSD tries to access other domains in the AD forest. For the configured domains the keytab is read at startup when the backend is still running as root. The other domains are discovered at runtime when the backend already runs as 'sssd' user and use the same code-path to check if the keytab contains the needed principals. 

One possible solution is just to skip the check in this case, in the worst case we would fail later when ldap_child tries to get a Kerberos ticket.

Another solution would be to use ldap_child to check the principals since this is installed with the SUID bit set when SSSD should run as non-root user.

There might be other solutions as well.

bye,
Sumit
Comment 3 RHEL Program Management 2021-11-03 18:13:52 UTC 
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.