2026-05-07 12:46:16 +02:00
1 changed files with 10 additions and 0 deletions
@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi

+# Ensure krb5_validate = False in sssd.conf to restore offline auth
+# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
+#  fails with EACCES before the cached-credential fallback is reached)
+_SSSD_CONF="/etc/sssd/sssd.conf"
+if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
+    echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
+    sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
+    systemctl restart sssd
+fi
+
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."