1006191 – RFE: authconfig should be able to configure winbind authentication over krb5

Bug 1006191 - RFE: authconfig should be able to configure winbind authentication over krb5

Summary: RFE: authconfig should be able to configure winbind authentication over krb5

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	authconfig
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	David Spurek
Docs Contact:
URL:
Whiteboard:
Depends On:	1005422
Blocks:	991169
TreeView+	depends on / blocked

Reported:	2013-09-10 07:52 UTC by Andreas Schneider
Modified:	2015-03-02 05:28 UTC (History)
CC List:	7 users (show)
Fixed In Version:	authconfig-6.2.8-1.el7
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:22:26 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andreas Schneider 2013-09-10 07:52:35 UTC

Description of problem:

With the change of the default location of the KRB5 credential cache we have added KEYRING as a value for the option 'krb5_ccache_type' in the pam_winbind.conf file.

    krb5_ccache_type = KEYRING

As authconfig is setting or changing this variable we need to update it to reflect the change in the system default.

Comment 2 Tomas Mraz 2013-09-11 10:54:45 UTC

Nope, authconfig does not change or set the krb5_ccache_type value in any way.
Also it does not touch pam_winbind.conf at all.

It writes winbind configuration to smb.conf.

Comment 3 Andreas Schneider 2013-09-11 11:40:13 UTC

Really? Oh, cause for

authconfig --enablewinbindoffline

you need to set

  cached_login = yes

in /etc/security/pam_winbind.conf.

This needs probably to be fixed and we should add an option:

authconfig --enablewinbindkrb5

which sets in smb.conf:

  kerberos method = secrets and keytab

and in pam_winbind.conf:

  krb5_auth = yes
  krb5_ccache_type = KEYRING

Comment 4 Andreas Schneider 2013-09-13 07:31:07 UTC

Should I create another bug for the cached login stuff or is one fine? Let me know if I could help or should review code.

Comment 5 Tomas Mraz 2013-09-13 09:57:01 UTC

I think another bug for cached login would be good because the current way does not work.

And the --enablewinbindkrb5 is rather a feature.

Comment 6 Tomas Mraz 2013-10-30 14:53:05 UTC

To avoid messing with another file could these options (krb5_auth and krb5_ccache_type) be set in the /etc/pam.d/system_auth as pam_winbind.so parameters?

Comment 7 Andreas Schneider 2013-10-31 10:52:43 UTC

Yes, you can also pass then to the pam module.

pam_winbind.so krb5_auth=yes krb5_ccache_type=KEYRING

Comment 8 Tomas Mraz 2013-10-31 16:52:26 UTC

I'd like to solve this by rebasing authconfig as I am doing the development upstream and there will be no changes unrelated to RHEL-7 development.

Comment 11 Ludek Smid 2014-06-13 11:22:26 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.