Bug 1135043
Summary: | [RFE] Implement localauth plugin for MIT krb5 1.12 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 | CC: | dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, rmainz, sgoveas | |
Target Milestone: | rc | Keywords: | FutureFeature | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.12.2-24.el7 | Doc Type: | Enhancement | |
Doc Text: |
Feature: The SSSD now provides a Kerberos plugin that helps to map Kerberos principals to local SSSD user names.
Reason: Normally, there is no standardized way to map a Kerberos principal to a UNIX username. There are several methods, like using a .k5login file or auth_to_local regular expression in the krb5.conf file, but all are difficult to use.
Result: With the help of this new localauth plugin, Active Directory users in a setup with AD trusts will be able to log in a passwordless manner to an IPA client without having to configure the auth_to_local rule or the .k5login file.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1168357 (view as bug list) | Environment: | ||
Last Closed: | 2015-03-05 10:33:26 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1168357 |
Description
Jakub Hrozek
2014-08-28 17:39:31 UTC
To reproduce: 1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing 2. verify a user can log in with GSSAPI (aka passwordless) 3. edit krb5.conf, remove the long regex in auth_to_local parameter 4. add this section instead: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so enable_only = sssd } Please verify the plugin is indeed at that path, we had some discussions upstream about the proper placement. 5. verify a user can still log in with GSSAPI without being propmted for password even though the auth_to_local parameter is commented out. master: 8a5e793a0576250da80371e53aa3e7eba15cdb63 6b5044001e4b0a0caf971a2cf5f27674e0d270f4 IPA part of this RFE: https://fedorahosted.org/freeipa/ticket/4514 Upstream ticket: https://fedorahosted.org/sssd/ticket/2449 There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned. Proposed mechanism for automatic registration of the plugin on IdM clients: https://fedorahosted.org/sssd/ticket/2473 Upstream ticket: https://fedorahosted.org/sssd/ticket/2473 The option was added to master: 4fa184e2c60b377fd71e0115a618bd68dc73627d [root@sideswipe ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPABUGS.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPABUGS.TEST = { kdc = sideswipe.ipabugs.test:88 master_kdc = sideswipe.ipabugs.test:88 admin_server = sideswipe.ipabugs.test:749 default_domain = ipabugs.test pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipabugs.test = IPABUGS.TEST ipabugs.test = IPABUGS.TEST [dbmodules] IPABUGS.TEST = { db_library = ipadb.so } [root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so enable_only = sssd } [root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so -rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so [root@sideswipe ~]# kdestroy -A [root@sideswipe ~]# echo Secret123 | kinit aduser1 Password for aduser1: [root@sideswipe ~]# ssh -l aduser1 `hostname` echo "login successful" login successful Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory Verified in version [root@sideswipe ~]# rpm -q sssd ipa-server sssd-1.12.2-42.el7.x86_64 ipa-server-4.1.0-15.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html |