From 6806a218a9744f91dc610ca51776a6447f26709f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20unbrot=20P=C3=A4tzold?= Date: Thu, 7 May 2026 09:49:51 +0200 Subject: [PATCH] sync_client_software: patch sssd.conf to add krb5_validate = False SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab before the cached-credential fallback is reached. Adding krb5_validate = False disables the keytab validation step and restores reliable offline authentication for FreeIPA domain users. Co-Authored-By: Claude Sonnet 4.6 --- system_setup/sync_client_software.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh index 7a44ed1..098c2df 100755 --- a/system_setup/sync_client_software.sh +++ b/system_setup/sync_client_software.sh @@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then echo "Press any key to continue" && read -n 1 -s -r && exit 1 fi +# Ensure krb5_validate = False in sssd.conf to restore offline auth +# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt +# fails with EACCES before the cached-credential fallback is reached) +_SSSD_CONF="/etc/sssd/sssd.conf" +if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then + echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication" + sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}" + systemctl restart sssd +fi + #Check Token if [ "${DAVTOKEN_USER}." == "." ]; then echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."