@@ -20,6 +20,9 @@ def setup(domain=None, user=None):
2020
2121 if not _cleanOldDomainJoins ():
2222 return False
23+
24+ if not _checkSssdKrb5ChildCaps ():
25+ return False
2326
2427 rc , domain = _findDomain (domain )
2528 if not rc :
@@ -83,6 +86,11 @@ def status():
8386 return False
8487
8588 logging .info ("Linuxmuster-linuxclient7 is setup!" )
89+
90+ logging .info ("Checking sssd krb5_child capabilities..." )
91+ if not _checkSssdKrb5ChildCaps ():
92+ return False
93+
8694 logging .info ("Testing if domain is joined..." )
8795
8896 logging .info ("Checking joined domains" )
@@ -248,7 +256,7 @@ def _preparePam():
248256 logging .info ('Updating pam configuration ... ' )
249257 subprocess .call (['pam-auth-update' , '--package' , '--enable' , 'libpam-mount' , 'pwquality' , 'sss' , '--force' ])
250258 ## mkhomedir was injected in template not using pam-auth-update
251- subprocess .call (['pam-auth-update' , '--package' , '--remove' , 'krb5' , 'mkhomedir' , '--force' ])
259+ subprocess .call (['pam-auth-update' , '--package' , '--remove' , 'krb5' , 'winbind' , ' mkhomedir''--force' ])
252260
253261 return True
254262
@@ -361,4 +369,45 @@ def _deleteObsoleteFiles():
361369 logging .info (f"* { obsoleteDirectory } )
362370 fileHelper .deleteDirectory (obsoleteDirectory )
363371
364- return True
372+ return True
373+
374+ def _parseVersion (versionString ):
375+ return tuple (int (p ) for p in versionString .split ("." ))
376+
377+ def _getSssdVersion ():
378+ try :
379+ out = subprocess .check_output (["sssd" , "--version" ], text = True ).strip ()
380+ return _parseVersion (out )
381+ except Exception as e :
382+ raise RuntimeError (f"Could not read SSSD version: { e } )
383+
384+ def _checkSssdKrb5ChildCaps ():
385+ """
386+ Checks if /usr/libexec/sssd/krb5_child has the correct capabilities set.
387+
388+ :return: True if capabilities are correctly set, False otherwise
389+ :rtype: bool
390+ """
391+
392+ if _getSssdVersion () < _parseVersion ("2.9.5" ):
393+ # Prior to this version, the capabilities were not needed
394+ logging .info ("SSSD version < 2.9.5 detected, skipping capability check" )
395+ return True
396+
397+ sssdKrb5ChildPath = "/usr/libexec/sssd/krb5_child"
398+ result = subprocess .check_output (["getcap" , sssdKrb5ChildPath ], text = True )
399+
400+ expectedCaps = ["cap_dac_read_search" , "cap_setgid" , "cap_setuid=p" ]
401+ for cap in expectedCaps :
402+ if not cap in result :
403+ logging .error (f"Missing capability: { cap } )
404+ print ()
405+ print ("===============================================================================================" )
406+ print ("sssd krb5_child does not have the correct capabilities set. The login WILL NOT WORK!" )
407+ print ("Please reinstall sssd-krb5-common to fix this issue." )
408+ print ("On Debian-based systems you can do this by running:" )
409+ print (" sudo apt reinstall sssd-krb5-common" )
410+ print ("===============================================================================================\n " )
411+ return False
412+
413+ return True
0 commit comments