[Bug 2155002] Re: Update to SSSD 2.12.0-1ubuntu5 breaks AD join due to SSSD inability to read keytab

Tue, 02 Jun 2026 13:10:43 -0700 

snooping the sssd startup, I can see that it's ldap_child who reads
/etc/krb5.keytab:

root@r-member:~# opensnoop.bt |grep -E 'krb5\.keytab'
Attached 8 probes
PID    COMM               FD ERR PATH
4784   ldap_child          0   0 /etc/krb5.keytab
4784   ldap_child          0   0 /etc/krb5.keytab
4788   ldap_child          0   0 /etc/krb5.keytab
4788   ldap_child          0   0 /etc/krb5.keytab

The "ERR" column confirms there was no error.

And here we can see how it was invoked:

root@r-member:~# execsnoop.bt |grep ldap
Attached 3 probes
TIME            PID     PPID    ARGS
19:49:11.112081 5421    5420    /bin/chown -f -h sssd:sssd 
/var/log/sssd/ldap_child.log /var/log/sssd/sssd.log 
/var/log/sssd/sssd_example.fake.log /var/log/sssd/sssd_nss.log 
/var/log/sssd/sssd_pac.log /var/log/sssd/sssd_pam.log
19:49:11.184744 5425    5424    /usr/libexec/sssd/ldap_child --dumpable=1 
--debug-microseconds=0 --debug-timestamps=1 --debug-fd=20 --chain-id=0 
--backtrace=1 --debug-level=0x0070
19:49:11.231763 5429    5424    /usr/libexec/sssd/ldap_child --dumpable=1 
--debug-microseconds=0 --debug-timestamps=1 --debug-fd=23 --chain-id=1 
--backtrace=1 --debug-level=0x0070


And ldap_child has cap_dac_read_search:

root@r-member:~# getcap /usr/libexec/sssd/ldap_child 
/usr/libexec/sssd/ldap_child cap_dac_read_search=p


Which means:
CAP_DAC_READ_SEARCH
  •  Bypass file read permission checks and directory read and execute 
permission checks;
  •  invoke open_by_handle_at(2);
  •  use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred 
to by a file descriptor.

So it can read files even if they are 0600 root:root. That's the idea at
least, and seems to be working here.

In your bug report you also listed the capabilities of the helper
binaries, did you check that with getcap?

I'm at a loss at the moment, it's like capabilities are not working in
your case.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155002

Title:
  Update to SSSD 2.12.0-1ubuntu5 breaks AD join due to SSSD inability to
  read keytab

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2155002/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to