And we can verify that capabilities are working in my case with this simple test:
ubuntu@r-member:~$ l /etc/krb5.keytab -rw------- 1 root root 866 Jun 2 19:31 /etc/krb5.keytab # no access, as expected: ubuntu@r-member:~$ klist -k Keytab name: FILE:/etc/krb5.keytab klist: Permission denied while starting keytab scan ubuntu@r-member:~$ cp $(which klist) . # let's grant this local copy of klist some capabilities. # The "e" flag is to make it effective, # as klist has no idea about capabilities (but ldap_child from # sssd does know about capabilities, so it doesn't need the "e" flag): ubuntu@r-member:~$ sudo setcap "cap_dac_read_search=ep" ./klist # now it works, even though my user cannot read /etc/krb5.keytab: ubuntu@r-member:~$ ./klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 [email protected] 3 [email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 host/[email protected] 3 RestrictedKrbHost/[email protected] 3 RestrictedKrbHost/[email protected] 3 RestrictedKrbHost/[email protected] 3 RestrictedKrbHost/[email protected] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155002 Title: Update to SSSD 2.12.0-1ubuntu5 breaks AD join due to SSSD inability to read keytab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2155002/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
