Bug 1559288
| Summary: | sssd_krb5_localauth_plugin fails to fallback to other localname rules [rhel-7.4.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
| Severity: | high | Docs Contact: | Lucie Vařáková <lmanasko> |
| Priority: | high | ||
| Version: | 7.4 | CC: | batkisso, enewland, fidencio, grajaiya, jhrozek, lmanasko, lslebodn, mkosek, msauton, mupadhye, mzidek, nsoman, pbrezina, sbose, sgoveas, sssd-maint, tscherf |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.15.2-50.el7_4.13 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the SSSD auth-to-local Kerberos plug-in returned an incorrect output message "KRB5_PLUGIN_NO_HANDLE" if it could not find mapping for the principal. As a consequence, the libkrb5 package could not continue with another auth-to-local ruleset. This update fixes SSSD auth-to-local to return a correct output message "KRB5_LNAME_NOTRANS". As a result, libkrb5 can use SSSD auth-to-local mapping rules from its configuration file even if no rules have been defined by the SSSD match.
|
Story Points: | --- |
| Clone Of: | 1525052 | Environment: | |
| Last Closed: | 2018-04-17 16:35:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1525052 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-03-22 08:08:38 UTC
Verified with
sssd-1.15.2-50.el7_4.13.x86_64
sssd-client-1.15.2-50.el7_4.13.x86_64
Verification steps:
1. Set up ldap server and kerberos server.
2. Configure sssd client with,
# cat /etc/sssd/sssd.conf | grep provider
id_provider = ldap
auth_provider = krb5
3. Check the user look up.
[root@vm-idm-033 ~]# getent passwd testuser1
testuser1:*:2001:2001:Test User1:/:/bin/bash
4. Create the localauth.c
5. Compile localauth.c
#gcc -ggdb -Wall -Wextra localauth.c -o localauth -lkrb5
6. /etc/krb.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM ={
kdc = vm-idm-025.lab.eng.pnq.redhat.com
admin_server = vm-idm-025.lab.eng.pnq.redhat.com
auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
auth_to_local = DEFAULT
}
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
7. Check
# ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
8. Call the test program,
[root@vm-idm-033 ~]# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
xyz
xyz returned, so test passed successfully.
9. Negative testing
Add ‘enable_only = sssd’
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
enable_only = sssd
}
10. Call the program
[root@vm-idm-033 ~]# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
No translation available for requested principal
Test failed, as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1144 |