RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12
Summary: [RFE] Implement localauth plugin for MIT krb5 1.12
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1168357
TreeView+ depends on / blocked
 
Reported: 2014-08-28 17:39 UTC by Jakub Hrozek
Modified: 2020-05-02 17:50 UTC (History)
11 users (show)

Fixed In Version: sssd-1.12.2-24.el7
Doc Type: Enhancement
Doc Text:
Feature: The SSSD now provides a Kerberos plugin that helps to map Kerberos principals to local SSSD user names. Reason: Normally, there is no standardized way to map a Kerberos principal to a UNIX username. There are several methods, like using a .k5login file or auth_to_local regular expression in the krb5.conf file, but all are difficult to use. Result: With the help of this new localauth plugin, Active Directory users in a setup with AD trusts will be able to log in a passwordless manner to an IPA client without having to configure the auth_to_local rule or the .k5login file.
Clone Of:
: 1168357 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:33:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2877 0 None closed [RFE] Implement localauth plugin for MIT krb5 1.12 2020-12-18 08:58:08 UTC
Github SSSD sssd issues 3515 0 None closed RFE: Add a configuration option to specify where a snippet with sssd_krb5_localauth_plugin.so is generated 2020-12-18 08:58:08 UTC
Red Hat Bugzilla 1146945 0 medium CLOSED RFE: Kerberos should support dropping configuration snippets to /etc/ and /usr 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2015:0441 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Internal Links: 1146945

Description Jakub Hrozek 2014-08-28 17:39:31 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1835

Since localauth plugin API is committed to MIT krb5 upstream, we need to implement the plugin to allow SSSD to expose trusted domains and UPN suffixes associated with our domain instead of configuring them manually.

https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3
Comment 1 Jakub Hrozek 2014-08-29 07:54:55 UTC 
To reproduce:

1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing
2. verify a user can log in with GSSAPI (aka passwordless)
3. edit krb5.conf, remove the long regex in auth_to_local parameter
4. add this section instead:

[plugins]
localauth = {
 module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 enable_only = sssd
}
      
Please verify the plugin is indeed at that path, we had some discussions
upstream about the proper placement.

5. verify a user can still log in with GSSAPI without being propmted for
password even though the auth_to_local parameter is commented out.
Comment 2 Jakub Hrozek 2014-09-02 08:41:17 UTC 
master:
    8a5e793a0576250da80371e53aa3e7eba15cdb63
    6b5044001e4b0a0caf971a2cf5f27674e0d270f4
Comment 3 Martin Kosek 2014-09-02 14:15:22 UTC 
IPA part of this RFE:
https://fedorahosted.org/freeipa/ticket/4514
Comment 5 Jakub Hrozek 2014-09-29 09:25:16 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2449
Comment 6 Jakub Hrozek 2014-09-29 09:26:39 UTC 
There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned.
Comment 7 Martin Kosek 2014-10-23 12:51:09 UTC 
Proposed mechanism for automatic registration of the plugin on IdM clients:

https://fedorahosted.org/sssd/ticket/2473
Comment 8 Jakub Hrozek 2014-11-05 13:08:33 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2473
Comment 9 Jakub Hrozek 2014-11-25 12:41:55 UTC 
The option was added to master:
4fa184e2c60b377fd71e0115a618bd68dc73627d
Comment 11 Steeve Goveas 2015-01-20 15:58:13 UTC 
[root@sideswipe ~]# cat /etc/krb5.conf 
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPABUGS.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPABUGS.TEST = {
  kdc = sideswipe.ipabugs.test:88
  master_kdc = sideswipe.ipabugs.test:88
  admin_server = sideswipe.ipabugs.test:749
  default_domain = ipabugs.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .ipabugs.test = IPABUGS.TEST
 ipabugs.test = IPABUGS.TEST

[dbmodules]
  IPABUGS.TEST = {
    db_library = ipadb.so
  }

[root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin 
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

[root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
-rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

[root@sideswipe ~]# kdestroy -A

[root@sideswipe ~]# echo Secret123 | kinit aduser1
Password for aduser1: 

[root@sideswipe ~]# ssh -l aduser1 `hostname` echo "login successful"
login successful
Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory

Verified in version
[root@sideswipe ~]# rpm -q sssd ipa-server
sssd-1.12.2-42.el7.x86_64
ipa-server-4.1.0-15.el7.x86_64
Comment 13 errata-xmlrpc 2015-03-05 10:33:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html
Note You need to log in before you can comment on or make changes to this bug.