[Freeipa-users] sssd public socket error
Andy Thompson
Andy.Thompson at e-tcc.com
Thu Sep 24 12:40:18 UTC 2015
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Jakub Hrozek
> Sent: Wednesday, September 23, 2015 4:54 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sssd public socket error
>
> On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote:
> > On one of my servers I'm getting
> >
> > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session):
> > session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03
> sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has
> wrong ownership or permissions.
> >
> > Authentication still works but group name lookups fail on the server.
> >
> > Haven't been able to track down yet what config is different on this server
> and I can't find any information on this, anyone have any thoughts?
>
> The code is:
> 860 statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf);
> 861 if (statret != 0) {
> 862 ret = PAM_SERVICE_ERR;
> 863 goto out;
> 864 }
> 865 if ( ! (stat_buf.st_uid == 0 &&
> 866 stat_buf.st_gid == 0 &&
> 867 S_ISSOCK(stat_buf.st_mode) &&
> 868 (stat_buf.st_mode & ~S_IFMT) == 0666 )) {
> 869 *errnop = ESSS_BAD_PUB_SOCKET;
> 870 ret = PAM_SERVICE_ERR;
> 871 goto out;
> 872 }
> 873
>
> I would compare:
> ls -lR /var/lib/sss/pipes/
>
> on a working or a non-working server. The public PAM socket
> (/var/lib/sss/pipes/pam) should be there and should have permission 0666.
>
> Also check AVC denials.
>
It was file perms on those files. Thanks for the pointer.
-andy
More information about the Freeipa-users
mailing list