> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Wednesday, September 23, 2015 4:54 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] sssd public socket error
> 
> On Wed, Sep 23, 2015 at 06:03:45PM +0000, Andy Thompson wrote:
> > On one of my servers I'm getting
> >
> > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session):
> > session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03
> sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has
> wrong ownership or permissions.
> >
> > Authentication still works but group name lookups fail on the server.
> >
> > Haven't been able to track down yet what config is different on this server
> and I can't find any information on this, anyone have any thoughts?
> 
> The code is:
> 860         statret = stat(SSS_PAM_SOCKET_NAME, &stat_buf);
> 861         if (statret != 0) {
> 862             ret = PAM_SERVICE_ERR;
> 863             goto out;
> 864         }
> 865         if ( ! (stat_buf.st_uid == 0 &&
> 866                 stat_buf.st_gid == 0 &&
> 867                 S_ISSOCK(stat_buf.st_mode) &&
> 868                 (stat_buf.st_mode & ~S_IFMT) == 0666 )) {
> 869             *errnop = ESSS_BAD_PUB_SOCKET;
> 870             ret = PAM_SERVICE_ERR;
> 871             goto out;
> 872         }
> 873
> 
> I would compare:
>     ls -lR /var/lib/sss/pipes/
> 
> on a working or a non-working server. The public PAM socket
> (/var/lib/sss/pipes/pam) should be there and should have permission 0666.
> 
> Also check AVC denials.
> 

It was file perms on those files.  Thanks for the pointer.

-andy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to