Red Hat Bugzilla – Bug 890062
KRB5 login fails due to missing /run/user/UID/krb5cc
Last modified: 2013-01-24 00:30:21 EST
Description of problem:
On a newly installed F18 host where krb5 authentication is configured, both ssh and gdm logins fail (presumably, all PAM services will fail). The following is logged during an attempted SSH login:
Dec 24 12:17:28 herald sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon
Dec 24 12:17:29 herald sshd: pam_sss(sshd:auth): system info: [Credential cache directory /run/user/1002/krb5cc does not exist]
Dec 24 12:17:29 herald sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon
Dec 24 12:17:29 herald sshd: pam_sss(sshd:auth): received for user gordon: 4 (System error)
Dec 24 12:17:31 herald sshd: Failed password for gordon from 192.168.89.1 port 46439 ssh2
If I log in as root and use 'su' to start a login shell for 'gordon', I can create the named directory. Thereafter, I can log in through ssh and gdm.
Bug 796430, bug 848228, bug 796910, and bug 796429 all discuss the move of the krb5 cache to /run/user/UID. It looks like some component changed that path, further to /run/user/UID/krb5cc. The user component appears to be created correctly, but some component (probably the krb5libs or sssd) needs to also create the krb5cc directory in order to succeed.
Version-Release number of selected component (if applicable):
The directory should be created by the SSSD.
Can you paste the sanitized sssd.conf?
Can you raise the debug_level in the [domain/$DOMNAME] section to 9, restart the SSSD and check out the contents of /var/log/sssd/sssd_$domname.log and /var/log/sssd/krb5_child.log?
The last component of the dircache is created in the krb5_child subprocess, in the krb5_child log there should be a line saying [create_ccache_in_dir] when the directory is created.
Is SELinux Enforcing? Are there any AVC denials?
Created attachment 671511 [details]
Created attachment 671512 [details]
Requested SSSD logs
SELinux is enforcing, but no AVCs are logged.
Bug #853558 that describes the same issue has been reopened and it contains more information that were gathered in a debugging session on IRC. I'm going to close this report as a duplicate of the other one, then.
I've also reopened the upstream bug.
Thank you very much for reporting the problem. We're actively working on a fix now.
*** This bug has been marked as a duplicate of bug 853558 ***