From d2d7a42f5eee44f611dfc30447038e54fc52f64c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 29 Jan 2016 13:30:49 +0100
Subject: [PATCH] krb5_child: Warn if user cannot read krb5.conf

Attached patch should siplify troubleshoting of
issues with permission of krb5.conf. It's not clear from
krb5_child.log even with full debug level.

[sss_get_ccache_name_for_principal] (0x4000):
    Location: [FILE:/tmp/krb5cc_12069_XXXXXX]
[sss_get_ccache_name_for_principal] (0x2000):
    krb5_cc_cache_match failed: [-1765328243]
    [Can't find client principal user@EXAMPLE.COM in cache collection]
[create_ccache] (0x0020): 735: [13][Permission denied]

Resolves:
https://fedorahosted.org/sssd/ticket/2931
---
 src/providers/krb5/krb5_child.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 12eb9e2093d2bdd7d67e8d029fec1455488aa67c..28e10fef75ffe7dace214f1fdbcbf5b9a1ee635c 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2675,6 +2675,23 @@ int main(int argc, const char *argv[])
         goto done;
     }
 
+    ret = open("/etc/krb5.conf", O_RDONLY);
+    if (ret != -1) {
+        close(ret);
+    } else {
+        ret = errno;
+        if (ret == EPERM) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "User with uid:%"SPRIuid" gid:%"SPRIgid" cannot read "
+                  "/etc/krb5.conf. It might cause problems.",
+                  geteuid(), getegid());
+        } else {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Cannot open /etc/krb5.conf [%d]: %s\n",
+                  ret, strerror(ret));
+        }
+    }
+
     DEBUG(SSSDBG_TRACE_INTERNAL,
           "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
 
-- 
2.5.0