On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote:
> On one of my servers I'm getting
> 
> Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session 
> opened for user user by (uid=0)
> Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to 
> sssd failed. Public socket has wrong ownership or permissions.
> 
> Authentication still works but group name lookups fail on the server.
> 
> Haven't been able to track down yet what config is different on this server 
> and I can't find any information on this, anyone have any thoughts?

The code is:
860         statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf);
861         if (statret != 0) {
862             ret = PAM_SERVICE_ERR;
863             goto out;
864         }
865         if ( ! (stat_buf.st_uid == 0 &&
866                 stat_buf.st_gid == 0 &&
867                 S_ISSOCK(stat_buf.st_mode) &&
868                 (stat_buf.st_mode & ~S_IFMT) == 0666 )) {
869             *errnop = ESSS_BAD_PUB_SOCKET;
870             ret = PAM_SERVICE_ERR;
871             goto out;
872         }
873

I would compare:
    ls -lR /var/lib/sss/pipes/

on a working or a non-working server. The public PAM socket
(/var/lib/sss/pipes/pam) should be there and should have permission 0666.

Also check AVC denials.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to