unbrot/fedora-OEMDRV
1
0
Fork 0
forked from obel1x/fedora-OEMDRV
Code Pull Requests Activity

sync_client_software: patch sssd.conf to add krb5_validate = False

Browse Source 
SSSD >= 2.10.1 no longer raises CAP_DAC_READ_SEARCH to effective in
offline mode, so validate_tgt fails with EACCES reading /etc/krb5.keytab
before the cached-credential fallback is reached. Adding krb5_validate =
False disables the keytab validation step and restores reliable offline
authentication for FreeIPA domain users.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Daniel unbrot Pätzold
2026-05-07 09:49:51 +02:00
parent 26677c6c2c
commit 6806a218a9
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
system_setup/sync_client_software.sh
+10
View File
@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
echo "Press any key to continue" && read -n 1 -s -r && exit 1 echo "Press any key to continue" && read -n 1 -s -r && exit 1
fi fi
# Ensure krb5_validate = False in sssd.conf to restore offline auth
# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
# fails with EACCES before the cached-credential fallback is reached)
_SSSD_CONF="/etc/sssd/sssd.conf"
if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
systemctl restart sssd
fi
#Check Token #Check Token
if [ "${DAVTOKEN_USER}." == "." ]; then if [ "${DAVTOKEN_USER}." == "." ]; then
echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script." echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."