IPA or AD user authentication via SSSD fails with "krb5_cc_cache_match failed: [-1765328243][Can't find client principal user@EXAMPLE.COM in cache collection]"

Solution Verified - Updated -

Issue

  • IPA/AD user authentication fails when /tmp permission is modified.
  • Below error is observed in krb5_child.log
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user@EXAMPLE.COM in cache collection]
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_1704400064_i6gKQa") failed [13]: Permission denied!
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_1704400064_i6gKQa") failed [13]: Permission denied!
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [create_ccache] (0x0020): handle_randomized failed: 13
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]
(Mon Jan 29 21:02:03 2018) [[sssd[krb5_child[14011]]]] [k5c_send_data] (0x0200): Received error code 1432158209

Environment

  • Red Hat Enterprise Linux
  • sssd
  • krb5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content