krb5: improve reporting failure on reading keytab

[257]

also, s/has not entries/has no entries/ when keytab_file has actually
no entries.

Signed-off-by: Paymon MARANDI paymon@encs.concordia.ca

[gemini-code-assist]

Code Review

The pull request introduces a valuable check for keytab file readability, which enhances error reporting and robustness. This is a good improvement for handling cases where the keytab file exists but cannot be accessed by the process. However, a typo was introduced in the debug message for this new check.

[alexey-tikhonov]

Perhaps tests need update:

[  FAILED  ] tests: 2 test(s), listed below:
[  FAILED  ] test_copy_keytab
[  FAILED  ] test_copy_keytab_order

But what is your use case? Typically 'krb5_child' has cap_dac_read_search to read keytab.

[257]

Perhaps tests need update:

[  FAILED  ] tests: 2 test(s), listed below:
[  FAILED  ] test_copy_keytab
[  FAILED  ] test_copy_keytab_order

will have a look

But what is your use case? Typically 'krb5_child' has cap_dac_read_search to read keytab.

cap_dac_read_search seems to require at least ownership? i can't really tell from the man page so i'm not sure why it didn't apply here.

in our case, our logs would show:
(2026-03-17 9:28:46): [ldap_child[7149]] [copy_keytab_into_memory] (0x0020): [RID#3] keytab [FILE:/etc/krb5.keytab] has not entries.

actual problem was that the build pipeline (homegrown, based on mkosi) included /etc/krb5.keytab in the image that had wrong owner/permission:
-rw------- 1 root root /etc/krb5.keytab

obviously logs didn't help in our troubleshooting hence this patch. (although it pointed to the right direction)

chown'ing that file to: -rw-rw---- 1 root sssd 213 Mar 16 17:26 /etc/krb5.keytab fixed the problem for us.

a side note, I have two questions:

• we would like to move to systemd-creds for passing the keytab file to sssd and would like to know if community has already tried or seen an "implementaiton" of that?
  -cap_dac_read_search didn't help in our case, man page says:

CAP_DAC_READ_SEARCH
              •  Bypass file read permission checks and directory read
                 and execute permission checks;
              •  invoke [open_by_handle_at(2)](https://man7.org/linux/manpages/man2/open_by_handle_at.2.html);
              •  use the [linkat(2)](https://man7.org/linux/man-pages/man2/linkat.2.html) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.

does that mean that the ownership already has to be set for the user?

[alexey-tikhonov]

actual problem was that the build pipeline (homegrown, based on mkosi) included /etc/krb5.keytab in the image that had wrong owner/permission: -rw------- 1 root root /etc/krb5.keytab

That's actually pretty typical ownership.

Can you check output of getcap /usr/libexec/sssd/* in your custom image?
Normally it should be:

/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

I suspect file capabilities are lost in your image.

obviously logs didn't help in our troubleshooting hence this patch.

Thank you.

chown'ing that file to: -rw-rw---- 1 root sssd 213 Mar 16 17:26 /etc/krb5.keytab fixed the problem for us.

This also works, in this case SSSD binaries in your image don't need 'cap_dac_read_search'.

* we would like to move to `systemd-creds` for passing the keytab file to sssd and would like to know if community has already tried or seen an "implementaiton" of that?

That's an interesting option, we didn't explore it yet.

  -`cap_dac_read_search` didn't help in our case, man page says:

...

does that mean that the ownership already has to be set for the user?

No, it's not required. cap_dac_read_search allows to fully bypass DAC controls

[257]

Can you check output of getcap /usr/libexec/sssd/* in your custom image? Normally it should be:

/usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
/usr/libexec/sssd/ldap_child cap_dac_read_search=p
/usr/libexec/sssd/sssd_pam cap_dac_read_search=p

comes up empty! in fact i ended up chown'in /usr/libexec/sssd/sssd_pam to get it to run and was going to submit a patch for that too!

then i saw this and this

build script (gentoo's portage) indeed passes --with-sssd-user=sssd

I suspect file capabilities are lost in your image.

they're indeed lost, great call; thanks.

i cooked up something for the distro, waiting for their feedback.

[alexey-tikhonov]

i cooked up something for the distro, waiting for their feedback.

You might want to sync with @salahcoronya on this.

[Copilot]

Pull request overview

This PR aims to improve diagnostics when a Kerberos keytab cannot be read and fixes a grammar issue in the “empty keytab” log message.

Changes:

• Added an explicit readability check for the keytab before checking for content.
• Updated log message grammar from “has not entries” to “has no entries”.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alexey-tikhonov]

@257, try running make check locally to see what unit tests are failing.

I don't say this means patch is wrong, but probably a change of behavior that requires test update as well.

[257]

@257, try running make check locally to see what unit tests are failing.

I don't say this means patch is wrong, but probably a change of behavior that requires test update as well.

i'm trying reconfig && CC=clang CXX=clang++ chmake -j -l with this:

diff --git i/contrib/fedora/bashrc_sssd w/contrib/fedora/bashrc_sssd
index 48cba8cca..e48c2d6f7 100644
--- i/contrib/fedora/bashrc_sssd
+++ w/contrib/fedora/bashrc_sssd
@@ -7,8 +7,14 @@
 SSS_ARCH=$(uname -m)

 # Determine the lib and libdir locations
-SSS_LIB=$(rpm --eval %{_lib})
-SSS_LIBDIR=$(rpm --eval %{_libdir})
+rpm="$(which rpm)"
+if [ $? -eq 0 ]; then
+  SSS_LIB=$(rpm --eval %{_lib})
+  SSS_LIBDIR=$(rpm --eval %{_libdir})
+else
+  SSS_LIB=/usr/lib
+  SSS_LIBDIR=/usr/lib
+fi

 # Add the following line to your .bashrc if you want SSSD to throw errors on
 # compiler warnings (recommended)

but it fails:

...
Makefile:48647: warning: overriding recipe for target 'src/examples/logrotate'
Makefile:13324: warning: ignoring old recipe for target 'src/examples/logrotate'
./sbus_generate.sh /home/pmn/src/github/257/sssd/x86_64/..
  GEN      stap_generated_probes.h
Generating sbus code for: sbus/codegen/dbus.xml
Generating sbus code for: sss_iface/sss_iface.xml
Generating sbus code for: responder/ifp/ifp_iface/ifp_iface.xml
dtrace: failed to compile script ../src/systemtap/sssd_probes.d: line 78: syntax error near end of input
make: *** [Makefile:48480: stap_generated_probes.h] Error 1

it will go to the end if i also remove --enable-systemtap, but then i don't see the same tests fired as the ones on Pickit:

Makefile:13324: warning: ignoring old recipe for target 'src/examples/logrotate'
PASS: src/tests/pysss_murmur-test.py3.sh
PASS: src/tests/pysss-test.py3.sh
PASS: src/tests/pyhbac-test.py3.sh
PASS: src/tests/double_semicolon_test
PASS: src/config/SSSDConfigTest.py3.sh
PASS: src/tests/whitespace_test
============================================================================
Testsuite summary for sssd 2.13.0
============================================================================
# TOTAL: 6
# PASS:  6
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[4]: Leaving directory '/usr/src/github/257/sssd/x86_64'
make[3]: Leaving directory '/usr/src/github/257/sssd/x86_64'
make[2]: Leaving directory '/usr/src/github/257/sssd/x86_64'
Making check in src/tests/cwrap
make[2]: Entering directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'
make
make[3]: Entering directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'
make  check-TESTS
make[3]: Entering directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'
make[4]: Entering directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'
============================================================================
Testsuite summary for sssd 2.13.0
============================================================================
# TOTAL: 0
# PASS:  0
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[4]: Leaving directory '/usr/src/github/257/sssd/x86_64/src/tests/cwrap'

test-suite.log

[257]

but it fails:

...
Makefile:48647: warning: overriding recipe for target 'src/examples/logrotate'
Makefile:13324: warning: ignoring old recipe for target 'src/examples/logrotate'
./sbus_generate.sh /home/pmn/src/github/257/sssd/x86_64/..
  GEN      stap_generated_probes.h
Generating sbus code for: sbus/codegen/dbus.xml
Generating sbus code for: sss_iface/sss_iface.xml
Generating sbus code for: responder/ifp/ifp_iface/ifp_iface.xml
dtrace: failed to compile script ../src/systemtap/sssd_probes.d: line 78: syntax error near end of input
make: *** [Makefile:48480: stap_generated_probes.h] Error 1

this fixes that^:

diff --git i/src/systemtap/sssd_probes.d w/src/systemtap/sssd_probes.d
index 91abd0105..0728495cb 100644
--- i/src/systemtap/sssd_probes.d
+++ w/src/systemtap/sssd_probes.d
@@ -74,4 +74,4 @@ provider sssd {
                       int target, int method);
     probe dp_req_done(const char *dp_req_name, int target, int method,
                       int ret, const char *errorstr);
-}
+};

dtrace version? here is mine:

:sssd/x86_64 dtrace -V
dtrace: D 2.0.5

[257]

Perhaps tests need update:

[  FAILED  ] tests: 2 test(s), listed below:
[  FAILED  ] test_copy_keytab
[  FAILED  ] test_copy_keytab_order

@alexey-tikhonov, two fedora builds are still failing, could you have look please?

[alexey-tikhonov]

two fedora builds are still failing, could you have look please?

No, all 'rpm-build:fedora-*' CI jobs look green.

[alexey-tikhonov]

ACK

[alexey-tikhonov]

Note: Covscan is green.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
🟢 ci / system (fedora-45) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.