FYSA filed LP: #2155002 today in response to this change. The big issue for AD/Kerberos SSSD users is that no package owns /etc/krb5.keytab, which due to the MIT Kerberos library that adcli hands keytab creation off to, will always be created as root:root 0600. And due to it's dumb historic location directly within /etc, we can't do a fix via SGID, nor can we handle it in a postinst.
I think that SSSD needs to start privileged, ensure SSSD-compatible privs, then drop privileges. That's my off-hand idea at least. In the mean time I've updated our Ansible configs to ensure root:sssd 0640 on /etc/krb5.keytab immediately after creation via adcli. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139337 Title: don't run as root, instead use --with-sssd-user=sssd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2139337/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
