This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 890062 - KRB5 login fails due to missing /run/user/UID/krb5cc
KRB5 login fails due to missing /run/user/UID/krb5cc
Status: CLOSED DUPLICATE of bug 853558
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-24 15:24 EST by Gordon Messmer
Modified: 2013-01-24 00:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-24 00:30:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
/etc/sssd/sssd.conf (603 bytes, text/plain)
2013-01-02 10:57 EST, Gordon Messmer
no flags Details
Requested SSSD logs (55.70 KB, text/plain)
2013-01-02 10:58 EST, Gordon Messmer
no flags Details

  None (edit)
Description Gordon Messmer 2012-12-24 15:24:22 EST
Description of problem:
On a newly installed F18 host where krb5 authentication is configured, both ssh and gdm logins fail (presumably, all PAM services will fail).  The following is logged during an attempted SSH login:

Dec 24 12:17:28 herald sshd[13131]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net  user=gordon
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): system info: [Credential cache directory /run/user/1002/krb5cc does not exist]
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): received for user gordon: 4 (System error)
Dec 24 12:17:31 herald sshd[13131]: Failed password for gordon from 192.168.89.1 port 46439 ssh2

If I log in as root and use 'su' to start a login shell for 'gordon', I can create the named directory.  Thereafter, I can log in through ssh and gdm.

Bug 796430, bug 848228, bug 796910, and bug 796429 all discuss the move of the krb5 cache to /run/user/UID.  It looks like some component changed that path, further to /run/user/UID/krb5cc.  The user component appears to be created correctly, but some component (probably the krb5libs or sssd) needs to also create the krb5cc directory in order to succeed.

Version-Release number of selected component (if applicable):
krb5-libs-1.10.3-5.fc18.x86_64
krb5-workstation-1.10.3-5.fc18.x86_64
pam-1.1.6-3.fc18.1.x86_64
pam_krb5-2.4.1-1.fc18.x86_64
sssd-1.9.3-1.fc18.x86_64
sssd-client-1.9.3-1.fc18.x86_64
Comment 1 Jakub Hrozek 2013-01-02 07:35:07 EST
The directory should be created by the SSSD.

Can you paste the sanitized sssd.conf?

Can you raise the debug_level in the [domain/$DOMNAME] section to 9, restart the SSSD and check out the contents of /var/log/sssd/sssd_$domname.log and /var/log/sssd/krb5_child.log?

The last component of the dircache is created in the krb5_child subprocess, in the krb5_child log there should be a line saying [create_ccache_in_dir] when the directory is created.

Is SELinux Enforcing? Are there any AVC denials?
Comment 2 Gordon Messmer 2013-01-02 10:57:58 EST
Created attachment 671511 [details]
/etc/sssd/sssd.conf
Comment 3 Gordon Messmer 2013-01-02 10:58:34 EST
Created attachment 671512 [details]
Requested SSSD logs
Comment 4 Gordon Messmer 2013-01-02 11:00:56 EST
SELinux is enforcing, but no AVCs are logged.
Comment 5 Jakub Hrozek 2013-01-24 00:30:21 EST
Bug #853558 that describes the same issue has been reopened and it contains more information that were gathered in a debugging session on IRC. I'm going to close this report as a duplicate of the other one, then.

I've also reopened the upstream bug.

Thank you very much for reporting the problem. We're actively working on a fix now.

*** This bug has been marked as a duplicate of bug 853558 ***

Note You need to log in before you can comment on or make changes to this bug.