From bd8810986a404cdfadb1b1dd39ec37a07bbe23be Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 29 Jan 2016 13:30:49 +0100 Subject: [PATCH] krb5_child: Warn if user cannot read krb5.conf Attached patch should siplify troubleshoting of issues with permission of krb5.conf. It's not clear from krb5_child.log even with full debug level. [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_12069_XXXXXX] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243] [Can't find client principal user@EXAMPLE.COM in cache collection] [create_ccache] (0x0020): 735: [13][Permission denied] Resolves: https://fedorahosted.org/sssd/ticket/2931 --- src/providers/krb5/krb5_child.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 12eb9e2093d2bdd7d67e8d029fec1455488aa67c..fff6a0a0cb186ef72350b5906b85455db561e4b8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2576,6 +2576,29 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, return 0; } +static void try_open_krb5_conf(void) +{ + int fd; + int ret; + + fd = open("/etc/krb5.conf", O_RDONLY); + if (fd != -1) { + close(fd); + } else { + ret = errno; + if (ret == EACCES || ret == EPERM) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User with uid:%"SPRIuid" gid:%"SPRIgid" cannot read " + "/etc/krb5.conf. It might cause problems\n", + geteuid(), getegid()); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot open /etc/krb5.conf [%d]: %s\n", + ret, strerror(ret)); + } + } +} + int main(int argc, const char *argv[]) { struct krb5_req *kr = NULL; @@ -2677,6 +2700,7 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_INTERNAL, "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + try_open_krb5_conf(); ret = k5c_setup(kr, offline); if (ret != EOK) { -- 2.5.0