krb5_child: Warn if user cannot read krb5.conf

Attached patch should siplify troubleshoting of
issues with permission of krb5.conf. It's not clear from
krb5_child.log even with full debug level.

[sss_get_ccache_name_for_principal] (0x4000):
    Location: [FILE:/tmp/krb5cc_12069_XXXXXX]
[sss_get_ccache_name_for_principal] (0x2000):
    krb5_cc_cache_match failed: [-1765328243]
    [Can't find client principal user@EXAMPLE.COM in cache collection]
[create_ccache] (0x0020): 735: [13][Permission denied]

Resolves:
https://fedorahosted.org/sssd/ticket/2931

Reviewed-by: Michal Židek <mzidek@redhat.com>

1 files changed, 24 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 12eb9e209..fff6a0a0c 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2576,6 +2576,29 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
     return 0;
 }
 
+static void try_open_krb5_conf(void)
+{
+    int fd;
+    int ret;
+
+    fd = open("/etc/krb5.conf", O_RDONLY);
+    if (fd != -1) {
+        close(fd);
+    } else {
+        ret = errno;
+        if (ret == EACCES || ret == EPERM) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "User with uid:%"SPRIuid" gid:%"SPRIgid" cannot read "
+                  "/etc/krb5.conf. It might cause problems\n",
+                  geteuid(), getegid());
+        } else {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Cannot open /etc/krb5.conf [%d]: %s\n",
+                  ret, strerror(ret));
+        }
+    }
+}
+
 int main(int argc, const char *argv[])
 {
     struct krb5_req *kr = NULL;
@@ -2677,6 +2700,7 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_INTERNAL,
           "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+    try_open_krb5_conf();
 
     ret = k5c_setup(kr, offline);
     if (ret != EOK) {