Bug 1525052
| Summary: | sssd_krb5_localauth_plugin fails to fallback to other localname rules | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brian J. Atkisson <batkisso> | ||||
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.4 | CC: | batkisso, enewland, fidencio, grajaiya, jhrozek, lslebodn, mkosek, msauton, mzidek, nsoman, pbrezina, sbose, sgoveas, tscherf | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.16.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1559288 (view as bug list) | Environment: | |||||
| Last Closed: | 2018-04-10 17:20:30 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1559288 | ||||||
| Attachments: |
|
||||||
master:
* b4e4553
* 3f94a97
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3459 Created attachment 1368417 [details]
Test program from the MIT Kerberos source tree srv/tests/localauth.c
How to test:
Compile the attached test program from the MIT Kerberos source tree
gcc -ggdb -Wall -Wextra /tmp/localauth.c -o /tmp/localauth -lkrb5
Create a test krb5.conf file:
/tmp/krb5.conf:
[libdefaults]
default_realm = ABC.DEF
[realms]
ABC.DEF = {
auth_to_local = RULE:[1:$1@$0](.*@ABC.DEF)s/@.*//
auth_to_local = DEFAULT
}
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
Call the test program:
$ KRB5_CONFIG=/tmp/krb5.conf /tmp/localauth xyz
xyz
If 'xyz' is returned the test passed. If something else or 'No translation available for requested principal' is returned the test failed because the auth_to_local rules was not reached.
If can force a failure by adding 'enable_only = sssd' after 'module = sssd:....'
Verified with
sssd-1.16.0-11.el7
sssd-client-1.16.0-11.el7
Verification steps:
1. Set up ldap server and kerberos server.
2. Configure sssd client with,
id_provider = ldap
auth_provider =krb5
3. Check the user look up.
# getent passwd testuser1
testuser1:*:2001:2001:Test User1:/home/testuser1:/bin/bash
4. Create the localauth.c
5. Compile localauth.c
#gcc -ggdb -Wall -Wextra localauth.c -o localauth -lkrb5
6. /etc/krb.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = vm-idm-004.lab.eng.pnq.redhat.com
admin_server = vm-idm-004.lab.eng.pnq.redhat.com
auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
auth_to_local = DEFAULT
}
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
7. Check
# ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
8. Call the test program,
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
xyz
xyz returned, so test passed successfully.
9. Negative testing
Add ‘enable_only = sssd’
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
enable_only = sssd
}
10. Call the program
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
No translation available for requested principal
Test failed, as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |
Description of problem: The sssd /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so plugin does not allow fallback to other localauth rules. This means that on a IPA-enrolled system, one cannot define kerberos auth_to_local rules in krb5.conf. This has the impact of preventing kerberos trust from working correctly. This issue has been fixed upstream, we just need it back-ported to RHEL 7.4: ====== commit 3f94a979eebd1c9496b49b4e07b7823550dec97e Author: Sumit Bose <sbose> Date: Wed Aug 23 17:06:20 2017 +0200 localauth plugin: change return code of sss_an2ln It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS to indicate that no mapping can be determined and other an2ln methods can be tried. Currently SSSD's localauth plugin returns KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin function. Resolves https://pagure.io/SSSD/sssd/issue/3459 Reviewed-by: Jakub Hrozek <jhrozek> Reviewed-by: Fabiano Fidêncio <fidencio> ======= Version-Release number of selected component (if applicable): sssd-1.15.2-50.el7_4.6.x86_64 redhat-release-server-7.4-18.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Establish a kerberos bi-drectional trust between IdM and plain kerberos 2. define rules in krb5.conf, such as: [realms] IPA.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// auth_to_local = DEFAULT } 3. Attempt to ssh in using gssapi with a foreign principal (user). Actual results: Auth is not allowed. If you: echo "" > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin && chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin, then the user will be granted access.