Red Hat Bugzilla – Bug 1135043
[RFE] Implement localauth plugin for MIT krb5 1.12
Last modified: 2015-10-01 04:42:23 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/1835 Since localauth plugin API is committed to MIT krb5 upstream, we need to implement the plugin to allow SSSD to expose trusted domains and UPN suffixes associated with our domain instead of configuring them manually. https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3
To reproduce: 1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing 2. verify a user can log in with GSSAPI (aka passwordless) 3. edit krb5.conf, remove the long regex in auth_to_local parameter 4. add this section instead: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so enable_only = sssd } Please verify the plugin is indeed at that path, we had some discussions upstream about the proper placement. 5. verify a user can still log in with GSSAPI without being propmted for password even though the auth_to_local parameter is commented out.
master: 8a5e793a0576250da80371e53aa3e7eba15cdb63 6b5044001e4b0a0caf971a2cf5f27674e0d270f4
IPA part of this RFE: https://fedorahosted.org/freeipa/ticket/4514
Upstream ticket: https://fedorahosted.org/sssd/ticket/2449
There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned.
Proposed mechanism for automatic registration of the plugin on IdM clients: https://fedorahosted.org/sssd/ticket/2473
Upstream ticket: https://fedorahosted.org/sssd/ticket/2473
The option was added to master: 4fa184e2c60b377fd71e0115a618bd68dc73627d
[root@sideswipe ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPABUGS.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] IPABUGS.TEST = { kdc = sideswipe.ipabugs.test:88 master_kdc = sideswipe.ipabugs.test:88 admin_server = sideswipe.ipabugs.test:749 default_domain = ipabugs.test pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipabugs.test = IPABUGS.TEST ipabugs.test = IPABUGS.TEST [dbmodules] IPABUGS.TEST = { db_library = ipadb.so } [root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so enable_only = sssd } [root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so -rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so [root@sideswipe ~]# kdestroy -A [root@sideswipe ~]# echo Secret123 | kinit aduser1@ADTEST.QE Password for aduser1@ADTEST.QE: [root@sideswipe ~]# ssh -l aduser1@adtest.qe `hostname` echo "login successful" login successful Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory Verified in version [root@sideswipe ~]# rpm -q sssd ipa-server sssd-1.12.2-42.el7.x86_64 ipa-server-4.1.0-15.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html