Bug 1006191 - RFE: authconfig should be able to configure winbind authentication over krb5
RFE: authconfig should be able to configure winbind authentication over krb5
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig (Show other bugs)
Unspecified Unspecified
high Severity medium
: beta
: ---
Assigned To: Tomas Mraz
David Spurek
: FutureFeature, Rebase
Depends On: 1005422
Blocks: 991169
  Show dependency treegraph
Reported: 2013-09-10 03:52 EDT by Andreas Schneider
Modified: 2015-03-02 00:28 EST (History)
7 users (show)

See Also:
Fixed In Version: authconfig-6.2.8-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 07:22:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andreas Schneider 2013-09-10 03:52:35 EDT
Description of problem:

With the change of the default location of the KRB5 credential cache we have added KEYRING as a value for the option 'krb5_ccache_type' in the pam_winbind.conf file.

    krb5_ccache_type = KEYRING

As authconfig is setting or changing this variable we need to update it to reflect the change in the system default.
Comment 2 Tomas Mraz 2013-09-11 06:54:45 EDT
Nope, authconfig does not change or set the krb5_ccache_type value in any way.
Also it does not touch pam_winbind.conf at all.

It writes winbind configuration to smb.conf.
Comment 3 Andreas Schneider 2013-09-11 07:40:13 EDT
Really? Oh, cause for

authconfig --enablewinbindoffline

you need to set

  cached_login = yes

in /etc/security/pam_winbind.conf.

This needs probably to be fixed and we should add an option:

authconfig --enablewinbindkrb5

which sets in smb.conf:

  kerberos method = secrets and keytab

and in pam_winbind.conf:

  krb5_auth = yes
  krb5_ccache_type = KEYRING
Comment 4 Andreas Schneider 2013-09-13 03:31:07 EDT
Should I create another bug for the cached login stuff or is one fine? Let me know if I could help or should review code.
Comment 5 Tomas Mraz 2013-09-13 05:57:01 EDT
I think another bug for cached login would be good because the current way does not work.

And the --enablewinbindkrb5 is rather a feature.
Comment 6 Tomas Mraz 2013-10-30 10:53:05 EDT
To avoid messing with another file could these options (krb5_auth and krb5_ccache_type) be set in the /etc/pam.d/system_auth as pam_winbind.so parameters?
Comment 7 Andreas Schneider 2013-10-31 06:52:43 EDT
Yes, you can also pass then to the pam module.

pam_winbind.so krb5_auth=yes krb5_ccache_type=KEYRING
Comment 8 Tomas Mraz 2013-10-31 12:52:26 EDT
I'd like to solve this by rebasing authconfig as I am doing the development upstream and there will be no changes unrelated to RHEL-7 development.
Comment 11 Ludek Smid 2014-06-13 07:22:26 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.