On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote:
> On one of my servers I'm getting
>
> Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session opened for user user by (uid=0)
> Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has wrong ownership or permissions.
>
> Authentication still works but group name lookups fail on the server.
>
> Haven't been able to track down yet what config is different on this server and I can't find any information on this, anyone have any thoughts?
The code is:
860 statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf);
861 if (statret != 0) {
862 ret = PAM_SERVICE_ERR;
863 goto out;
864 }
865 if ( ! (stat_buf.st_uid == 0 &&
866 stat_buf.st_gid == 0 &&
867 S_ISSOCK(stat_buf.st_mode) &&
868 (stat_buf.st_mode & ~S_IFMT) == 0666 )) {
869 *errnop = ESSS_BAD_PUB_SOCKET;
870 ret = PAM_SERVICE_ERR;
871 goto out;
872 }
873
I would compare:
ls -lR /var/lib/sss/pipes/
on a working or a non-working server. The public PAM socket
(/var/lib/sss/pipes/pam) should be there and should have permission 0666.
Also check AVC denials.