Description of problem: On a newly installed F18 host where krb5 authentication is configured, both ssh and gdm logins fail (presumably, all PAM services will fail). The following is logged during an attempted SSH login: Dec 24 12:17:28 herald sshd[13131]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): system info: [Credential cache directory /run/user/1002/krb5cc does not exist] Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ascension.private.dragonsdawn.net user=gordon Dec 24 12:17:29 herald sshd[13131]: pam_sss(sshd:auth): received for user gordon: 4 (System error) Dec 24 12:17:31 herald sshd[13131]: Failed password for gordon from 192.168.89.1 port 46439 ssh2 If I log in as root and use 'su' to start a login shell for 'gordon', I can create the named directory. Thereafter, I can log in through ssh and gdm. Bug 796430, bug 848228, bug 796910, and bug 796429 all discuss the move of the krb5 cache to /run/user/UID. It looks like some component changed that path, further to /run/user/UID/krb5cc. The user component appears to be created correctly, but some component (probably the krb5libs or sssd) needs to also create the krb5cc directory in order to succeed. Version-Release number of selected component (if applicable): krb5-libs-1.10.3-5.fc18.x86_64 krb5-workstation-1.10.3-5.fc18.x86_64 pam-1.1.6-3.fc18.1.x86_64 pam_krb5-2.4.1-1.fc18.x86_64 sssd-1.9.3-1.fc18.x86_64 sssd-client-1.9.3-1.fc18.x86_64
The directory should be created by the SSSD. Can you paste the sanitized sssd.conf? Can you raise the debug_level in the [domain/$DOMNAME] section to 9, restart the SSSD and check out the contents of /var/log/sssd/sssd_$domname.log and /var/log/sssd/krb5_child.log? The last component of the dircache is created in the krb5_child subprocess, in the krb5_child log there should be a line saying [create_ccache_in_dir] when the directory is created. Is SELinux Enforcing? Are there any AVC denials?
Created attachment 671511 [details] /etc/sssd/sssd.conf
Created attachment 671512 [details] Requested SSSD logs
SELinux is enforcing, but no AVCs are logged.
Bug #853558 that describes the same issue has been reopened and it contains more information that were gathered in a debugging session on IRC. I'm going to close this report as a duplicate of the other one, then. I've also reopened the upstream bug. Thank you very much for reporting the problem. We're actively working on a fix now. *** This bug has been marked as a duplicate of bug 853558 ***