Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6295: automount (adnismap) fails with error - GSSAPI Mechanism with Kerberos error ": Credentials cache permissions incorrect" on SELinux

Centrify DirectControl ,  

27 June,16 at 12:03 PM

Applies to: Centrify DirectControl 5.3.0 

Problem:

Centrify maps used via
adauto.pl stops working and receiving following error entries in debug log:


Jan 29 12:05:39 host automount[7217]: >> error during execution: SASL bind to ldap/dc-01@DOMAIN.COM - GSSAPI Mechanism with Kerberos error ": Credentials cache permissions incorrect"
Jan 29 12:05:39 host automount[7217]: >> SASL bind to ldap/dc-01@DOMAIN.COM - GSSAPI Mechanism with Kerberos error ": Credentials cache permissions incorrect"


Cause:

It was found the problem happened on updating krb5.ccache without correct permission.

The adauto.pl invoking adedit should normally need to read and use what is in the krb5.ccache (machine credential store) only. In case zone(s) in the zone path is in different domain and if TGT is not in krb5.ccache, it does need to authenticate and as a result - updating the krb5.ccache. (This feature is introduced in Suite 2016 a.k.a. version 5.3.0)

By default adclient creates the kerberos credential cache at /etc/krb5.ccache upon adjoin. On SELinux, the security context for this cache file is labeled by us as etc_runtime_t. This security type is required to access the cache.


However on SELinux, the security type etc_t would apply to this file when the system restores with the default system security rules via restorecon or other means. It occurs in this way because there is no explicit rule defined for /etc/krb5.ccache in the default SELinux system settings and thus the rule for /etc/.* is applied. The rule for /etc/.* is etc_t.

Workaround:

Manually insert a rule into the system default settings specifying the etc_runtime_t for /etc/krb5.ccache.

Example as follows:
To insert a line (with root privilege) to
/etc/selinux/targeted/contexts/files/file_contexts:

/etc/krb5\.ccache – system_u:object_r:etc_runtime_t:s0

Run following command to make it immediately available:

restorecon -v /etc/krb5.ccache


Resolution:

This is fixed in Centrify Suite 2016.1 release.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.