Applies to: Centrify DirectControl 5.3.0
Centrify maps used via adauto.pl stops working and receiving following error entries in debug log:
Jan 29 12:05:39 host automount: >> error during execution: SASL bind to ldap/dc-01@DOMAIN.COM - GSSAPI Mechanism with Kerberos error ": Credentials cache permissions incorrect"
Jan 29 12:05:39 host automount: >> SASL bind to ldap/dc-01@DOMAIN.COM - GSSAPI Mechanism with Kerberos error ": Credentials cache permissions incorrect"
It was found the problem happened on updating krb5.ccache without correct permission.
The adauto.pl invoking adedit should normally need to read and use what is in the krb5.ccache (machine credential store) only. In case zone(s) in the zone path is in different domain and if TGT is not in krb5.ccache, it does need to authenticate and as a result - updating the krb5.ccache. (This feature is introduced in Suite 2016 a.k.a. version 5.3.0)
By default adclient creates the kerberos credential cache at /etc/krb5.ccache upon adjoin. On SELinux, the security context for this cache file is labeled by us as etc_runtime_t. This security type is required to access the cache.
However on SELinux, the security type etc_t would apply to this file when the system restores with the default system security rules via restorecon or other means. It occurs in this way because there is no explicit rule defined for /etc/krb5.ccache in the default SELinux system settings and thus the rule for /etc/.* is applied. The rule for /etc/.* is etc_t.
Manually insert a rule into the system default settings specifying the etc_runtime_t for /etc/krb5.ccache.
Example as follows:
To insert a line (with root privilege) to /etc/selinux/targeted/contexts/files/file_contexts:
/etc/krb5\.ccache – system_u:object_r:etc_runtime_t:s0
Run following command to make it immediately available:
restorecon -v /etc/krb5.ccache
This is fixed in Centrify Suite 2016.1 release.