sssd cache directory changes ownership to root after reboot.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 8
  • sssd-common
  • Identity Management (IdM)

Issue

  • After a reboot, system automatically changes the ownership of directory /var/lib/sss/db from sssd:sssd to root:root
  • As a result, sssd is not able to read the contents of the filesystem, and the authentication methods provided doesn't work. Example: connection from users with ssh public keys stored in IdM that are prompted for a password when changing this ownership

Resolution

  • The cache should be mounted in /etc/fstab with the options of uid and gid set to sssd
    Example:

    tmpfs /var/lib/sss/db/ tmpfs nodev,nosuid,noexec,size=500M,mode=0700,uid=sssd,gid=sssd,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0

Root Cause

  • System doesn't have the appropriate options for mounting the sssd cache filesystem in /etc/fstab
    Example:

    tmpfs /var/lib/sss/db tmpfs nodev,nosuid,noexec,size=500M,mode=0700,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0

Diagnostic Steps

  • The shared keys doesn't work for login to the IdM system

  • Look at permissions changed of sssd-common since installation:

    [root@server ~]# rpm -V sssd-common
.....UG..    /var/lib/sss/db

  • Set the uid and gid as original installation of rpm executing rpm --setugids sssd-common

  • After a reboot, the ownership changes to root:root again

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments