#2718 SSSD keytab validation check expects root ownership
Closed: Fixed None Opened 3 years ago by abbra.

Even when SSSD can be run as sssd user, for cross-forest keytabs the validation code expects that keytab is owned by root.

(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_server_trust_add_send] (0x1000): Trust direction of subdom adx.test from forest adx.test is: one-way inbound: local domain trusts the 
remote domain
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [perform_checks] (0x0020): File must be owned by uid [0].
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_check_keytab] (0x0040): Failed to check for /var/lib/sss/keytabs/adx.test.keytab
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_server_trust_add_1way] (0x0040): Failed to check for keytab: 22
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [create_trusts_at_startup_done] (0x0080): ipa_server_create_trusts_send request failed [22]: Invalid argument

FreeIPA 4.2 assumes that sssd wants to run as 'sssd' user and chowns the keytab to sssd:sssd.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.1
priority: major => blocker

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @abbra:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.