Bug 714600

Summary: ipa-client-install should configure sssd to store password if offline
Product: Red Hat Enterprise Linux 6 Reporter: Marko Myllynen <myllynen>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, jgalipea, nsoman, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.0-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: The default sssd configuration does not store passwords if offline. Consequence: If the machine is disconnected from the network sssd will be unable to authenticate users. Fix: Set krb5_store_password_if_offline to True in sssd.conf by default. There is an ipa-client-install option --no-krb5-offline-passwords if this is not desired. Result: Passwords are stored by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:36:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2011-06-20 08:36:07 UTC 
Description of problem:
A common use case is when a user logs in while offline, then goes online (e.g., after establishing a VPN connection) and then tries to access IPA hosts/services. This fails currently because no Kerberos ticket is available after an offline login. It would be nice if ipa-client-install would configure (at least optionally) SSSD to store password if offline (i.e., set krb5_store_password_if_offline in sssd.conf for the domain).

Version-Release number of selected component (if applicable):
RHEL 6.1
Comment 2 Rob Crittenden 2011-06-20 16:12:16 UTC 
https://fedorahosted.org/freeipa/ticket/1359
Comment 3 Rob Crittenden 2011-08-01 20:16:36 UTC 
master: 1c5028c17df9dc903a6db2712738670c3534246f
Comment 6 Namita Soman 2011-10-14 19:30:15 UTC 
Installed client using command:
 ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w <xxx>

sssd.conf has krb5_store_password_if_offline = True

Verified request above using steps below::
1. Logged in as user test
2. kdestroy - no cached cred.
3. Client's network is stopped
4. log out user test
5. log back user test
6. And user test can log in offline
7. klist shows:
Ticket cache: FILE:/tmp/krb5cc_618800003_nNXtCe
Default principal: one@TESTRELM

Valid starting     Expires            Service principal
12/31/69 19:00:00  12/31/69 19:00:00  krbtgt/TESTRELM@TESTRELM
8. Restarted network service
9. After a few minutes, klist shows:
Ticket cache: FILE:/tmp/krb5cc_618800003_nNXtCe
Default principal: one@TESTRELM

Valid starting     Expires            Service principal
10/14/11 15:11:10  10/15/11 15:11:10  krbtgt/TESTRELM@TESTRELM
10. Can ssh as this user to master, without being prompted to reenter password.

Verified using ipa-client-2.1.2-2.el6.x86_64
Comment 7 Rob Crittenden 2011-10-31 20:19:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The default sssd configuration does not store passwords if offline.
Consequence: If the machine is disconnected from the network sssd will be unable to authenticate users.
Fix: Set krb5_store_password_if_offline to True in sssd.conf by default. There is an ipa-client-install option --no-krb5-offline-passwords if this is not desired.
Result: Passwords are stored by default.
Comment 8 errata-xmlrpc 2011-12-06 18:36:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html