Bug 890062 - KRB5 login fails due to missing /run/user/UID/krb5cc
Summary: KRB5 login fails due to missing /run/user/UID/krb5cc
Keywords:
Status: CLOSED DUPLICATE of bug 853558
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-24 20:24 UTC by Gordon Messmer
Modified: 2013-01-24 05:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-24 05:30:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
/etc/sssd/sssd.conf (603 bytes, text/plain)
2013-01-02 15:57 UTC, Gordon Messmer 		no flags Details
Requested SSSD logs (55.70 KB, text/plain)
2013-01-02 15:58 UTC, Gordon Messmer 		no flags Details
View All

Description Gordon Messmer 2012-12-24 20:24:22 UTC 
Description of problem:
On a newly installed F18 host where krb5 authentication is configured, both ssh and gdm logins fail (presumably, all PAM services will fail).  The following is logged during an attempted SSH login:

Dec 24 12:17:28 herald sshd[13131]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net  user=gordon
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): system info: [Credential cache directory /run/user/1002/krb5cc does not exist]
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon
Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): received for user gordon: 4 (System error)
Dec 24 12:17:31 herald sshd[13131]: Failed password for gordon from 192.168.89.1 port 46439 ssh2

If I log in as root and use 'su' to start a login shell for 'gordon', I can create the named directory.  Thereafter, I can log in through ssh and gdm.

Bug 796430, bug 848228, bug 796910, and bug 796429 all discuss the move of the krb5 cache to /run/user/UID.  It looks like some component changed that path, further to /run/user/UID/krb5cc.  The user component appears to be created correctly, but some component (probably the krb5libs or sssd) needs to also create the krb5cc directory in order to succeed.

Version-Release number of selected component (if applicable):
krb5-libs-1.10.3-5.fc18.x86_64
krb5-workstation-1.10.3-5.fc18.x86_64
pam-1.1.6-3.fc18.1.x86_64
pam_krb5-2.4.1-1.fc18.x86_64
sssd-1.9.3-1.fc18.x86_64
sssd-client-1.9.3-1.fc18.x86_64
Comment 1 Jakub Hrozek 2013-01-02 12:35:07 UTC 
The directory should be created by the SSSD.

Can you paste the sanitized sssd.conf?

Can you raise the debug_level in the [domain/$DOMNAME] section to 9, restart the SSSD and check out the contents of /var/log/sssd/sssd_$domname.log and /var/log/sssd/krb5_child.log?

The last component of the dircache is created in the krb5_child subprocess, in the krb5_child log there should be a line saying [create_ccache_in_dir] when the directory is created.

Is SELinux Enforcing? Are there any AVC denials?
Comment 2 Gordon Messmer 2013-01-02 15:57:58 UTC 
Created attachment 671511 [details]
/etc/sssd/sssd.conf
Comment 3 Gordon Messmer 2013-01-02 15:58:34 UTC 
Created attachment 671512 [details]
Requested SSSD logs
Comment 4 Gordon Messmer 2013-01-02 16:00:56 UTC 
SELinux is enforcing, but no AVCs are logged.
Comment 5 Jakub Hrozek 2013-01-24 05:30:21 UTC 
Bug #853558 that describes the same issue has been reopened and it contains more information that were gathered in a debugging session on IRC. I'm going to close this report as a duplicate of the other one, then.

I've also reopened the upstream bug.

Thank you very much for reporting the problem. We're actively working on a fix now.

*** This bug has been marked as a duplicate of bug 853558 ***
Note You need to log in before you can comment on or make changes to this bug.