#2718 SSSD keytab validation check expects root ownership
Closed: Fixed None Opened 5 years ago by abbra.

Even when SSSD can be run as sssd user, for cross-forest keytabs the validation code expects that keytab is owned by root.

(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_server_trust_add_send] (0x1000): Trust direction of subdom adx.test from forest adx.test is: one-way inbound: local domain trusts the 
remote domain
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [perform_checks] (0x0020): File must be owned by uid [0].
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_check_keytab] (0x0040): Failed to check for /var/lib/sss/keytabs/adx.test.keytab
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [ipa_server_trust_add_1way] (0x0040): Failed to check for keytab: 22
(Tue Jul 14 07:59:45 2015) [sssd[be[example.com]]] [create_trusts_at_startup_done] (0x0080): ipa_server_create_trusts_send request failed [22]: Invalid argument

FreeIPA 4.2 assumes that sssd wants to run as 'sssd' user and chowns the keytab to sssd:sssd.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.1
priority: major => blocker

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @abbra:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3759

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.