> -----Original Message----- > From: [email protected] [mailto:freeipa-users- > [email protected]] On Behalf Of Jakub Hrozek > Sent: Wednesday, September 23, 2015 4:54 PM > To: [email protected] > Subject: Re: [Freeipa-users] sssd public socket error > > On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote: > > On one of my servers I'm getting > > > > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): > > session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03 > sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has > wrong ownership or permissions. > > > > Authentication still works but group name lookups fail on the server. > > > > Haven't been able to track down yet what config is different on this server > and I can't find any information on this, anyone have any thoughts? > > The code is: > 860 statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf); > 861 if (statret != 0) { > 862 ret = PAM_SERVICE_ERR; > 863 goto out; > 864 } > 865 if ( ! (stat_buf.st_uid == 0 && > 866 stat_buf.st_gid == 0 && > 867 S_ISSOCK(stat_buf.st_mode) && > 868 (stat_buf.st_mode & ~S_IFMT) == 0666 )) { > 869 *errnop = ESSS_BAD_PUB_SOCKET; > 870 ret = PAM_SERVICE_ERR; > 871 goto out; > 872 } > 873 > > I would compare: > ls -lR /var/lib/sss/pipes/ > > on a working or a non-working server. The public PAM socket > (/var/lib/sss/pipes/pam) should be there and should have permission 0666. > > Also check AVC denials. >
It was file perms on those files. Thanks for the pointer. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
