Bug 1135043

Summary: [RFE] Implement localauth plugin for MIT krb5 1.12
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, rmainz, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-24.el7 Doc Type: Enhancement
Doc Text:
Feature: The SSSD now provides a Kerberos plugin that helps to map Kerberos principals to local SSSD user names. Reason: Normally, there is no standardized way to map a Kerberos principal to a UNIX username. There are several methods, like using a .k5login file or auth_to_local regular expression in the krb5.conf file, but all are difficult to use. Result: With the help of this new localauth plugin, Active Directory users in a setup with AD trusts will be able to log in a passwordless manner to an IPA client without having to configure the auth_to_local rule or the .k5login file.
 Story Points: ---
Clone Of:
: 1168357 (view as bug list) Environment:
Last Closed: 2015-03-05 10:33:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168357    

Description Jakub Hrozek 2014-08-28 17:39:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1835

Since localauth plugin API is committed to MIT krb5 upstream, we need to implement the plugin to allow SSSD to expose trusted domains and UPN suffixes associated with our domain instead of configuring them manually.

https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3
Comment 1 Jakub Hrozek 2014-08-29 07:54:55 UTC 
To reproduce:

1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing
2. verify a user can log in with GSSAPI (aka passwordless)
3. edit krb5.conf, remove the long regex in auth_to_local parameter
4. add this section instead:

[plugins]
localauth = {
 module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 enable_only = sssd
}
      
Please verify the plugin is indeed at that path, we had some discussions
upstream about the proper placement.

5. verify a user can still log in with GSSAPI without being propmted for
password even though the auth_to_local parameter is commented out.
Comment 2 Jakub Hrozek 2014-09-02 08:41:17 UTC 
master:
    8a5e793a0576250da80371e53aa3e7eba15cdb63
    6b5044001e4b0a0caf971a2cf5f27674e0d270f4
Comment 3 Martin Kosek 2014-09-02 14:15:22 UTC 
IPA part of this RFE:
https://fedorahosted.org/freeipa/ticket/4514
Comment 5 Jakub Hrozek 2014-09-29 09:25:16 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2449
Comment 6 Jakub Hrozek 2014-09-29 09:26:39 UTC 
There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned.
Comment 7 Martin Kosek 2014-10-23 12:51:09 UTC 
Proposed mechanism for automatic registration of the plugin on IdM clients:

https://fedorahosted.org/sssd/ticket/2473
Comment 8 Jakub Hrozek 2014-11-05 13:08:33 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2473
Comment 9 Jakub Hrozek 2014-11-25 12:41:55 UTC 
The option was added to master:
4fa184e2c60b377fd71e0115a618bd68dc73627d
Comment 11 Steeve Goveas 2015-01-20 15:58:13 UTC 
[root@sideswipe ~]# cat /etc/krb5.conf 
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPABUGS.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPABUGS.TEST = {
  kdc = sideswipe.ipabugs.test:88
  master_kdc = sideswipe.ipabugs.test:88
  admin_server = sideswipe.ipabugs.test:749
  default_domain = ipabugs.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .ipabugs.test = IPABUGS.TEST
 ipabugs.test = IPABUGS.TEST

[dbmodules]
  IPABUGS.TEST = {
    db_library = ipadb.so
  }

[root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin 
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

[root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
-rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

[root@sideswipe ~]# kdestroy -A

[root@sideswipe ~]# echo Secret123 | kinit aduser1
Password for aduser1: 

[root@sideswipe ~]# ssh -l aduser1 `hostname` echo "login successful"
login successful
Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory

Verified in version
[root@sideswipe ~]# rpm -q sssd ipa-server
sssd-1.12.2-42.el7.x86_64
ipa-server-4.1.0-15.el7.x86_64
Comment 13 errata-xmlrpc 2015-03-05 10:33:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html