| Summary: | RFE: authconfig should be able to configure winbind authentication over krb5 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Schneider <asn> |
| Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | arubin, asn, dspurek, ebenes, gdeschner, ksrot, sbose |
| Target Milestone: | beta | Keywords: | FutureFeature, Rebase |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | authconfig-6.2.8-1.el7 | Doc Type: | Rebase: Bug Fixes and Enhancements |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 11:22:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1005422 | ||
| Bug Blocks: | 991169 | ||
Nope, authconfig does not change or set the krb5_ccache_type value in any way. Also it does not touch pam_winbind.conf at all. It writes winbind configuration to smb.conf. Really? Oh, cause for authconfig --enablewinbindoffline you need to set cached_login = yes in /etc/security/pam_winbind.conf. This needs probably to be fixed and we should add an option: authconfig --enablewinbindkrb5 which sets in smb.conf: kerberos method = secrets and keytab and in pam_winbind.conf: krb5_auth = yes krb5_ccache_type = KEYRING Should I create another bug for the cached login stuff or is one fine? Let me know if I could help or should review code. I think another bug for cached login would be good because the current way does not work. And the --enablewinbindkrb5 is rather a feature. To avoid messing with another file could these options (krb5_auth and krb5_ccache_type) be set in the /etc/pam.d/system_auth as pam_winbind.so parameters? Yes, you can also pass then to the pam module. pam_winbind.so krb5_auth=yes krb5_ccache_type=KEYRING I'd like to solve this by rebasing authconfig as I am doing the development upstream and there will be no changes unrelated to RHEL-7 development. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: With the change of the default location of the KRB5 credential cache we have added KEYRING as a value for the option 'krb5_ccache_type' in the pam_winbind.conf file. krb5_ccache_type = KEYRING As authconfig is setting or changing this variable we need to update it to reflect the change in the system default.