#2962 GPO: Access denied in non-root mode
Closed: Fixed None Opened 5 years ago by lslebodn.

Pam system error (4) is returned in non-root mode for pam:account.

Feb 25 04:32:23 gs-per720-01 su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/7 ruser=nobody rhost= user=allow_u-15330@sssdad2012.com
Feb 25 04:32:24 gs-per720-01 su: pam_sss(su:account): Access denied for user allow_u-15330@sssdad2012.com: 4 (System error)

Directories in gpo_cache are created with wrong permissions.

(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/sssdad2012.com
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/sssdad2012.com/Policies
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [prepare_gpo_cache] (0x0020): mkdir(/var/lib/sss/gpo_cache/sssdad2012.com/Policies) failed: 13
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [gpo_cache_store_file] (0x0020): prepare_gpo_cache failed [13][Permission denied]
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [gpo_cache_store_file] (0x0020): Error encountered: 13.
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [copy_smb_file_to_gpo_cache] (0x0020): gpo_cache_store_file failed [13][Permission denied]
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [main] (0x0020): perform_smb_operations failed.[13][Permission denied].
(Thu Feb 25 04:36:16 2016) [[sssd[gpo_child[24925]]]] [main] (0x0020): gpo_child failed!

Fields changed

owner: somebody => lslebodn
status: new => assigned

Patch is simple and I have WIP patch.

The question is how we want to solve upgrade?

Check for the directory/file ownership at startup in the main process and fi permissions before dropping privileges.
Alternatively provide a script to fix permissions and preexec it in the systemd unit file.

Fields changed

rhbz: => todo

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.4

Fields changed

patch: 0 => 1

Fields changed

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: todo => 0

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.13.4

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4003

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.