Bug 1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12
Summary: [RFE] Implement localauth plugin for MIT krb5 1.12
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1168357
TreeView+ depends on / blocked
 
Reported: 2014-08-28 17:39 UTC by Jakub Hrozek
Modified: 2020-05-02 17:50 UTC (History)
11 users (show)

Fixed In Version: sssd-1.12.2-24.el7
Doc Type: Enhancement
Doc Text:
Feature: The SSSD now provides a Kerberos plugin that helps to map Kerberos principals to local SSSD user names. Reason: Normally, there is no standardized way to map a Kerberos principal to a UNIX username. There are several methods, like using a .k5login file or auth_to_local regular expression in the krb5.conf file, but all are difficult to use. Result: With the help of this new localauth plugin, Active Directory users in a setup with AD trusts will be able to log in a passwordless manner to an IPA client without having to configure the auth_to_local rule or the .k5login file.
Clone Of:
: 1168357 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:33:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2877 None closed [RFE] Implement localauth plugin for MIT krb5 1.12 2020-05-02 17:17:52 UTC
Github SSSD sssd issues 3515 None None None 2020-05-02 17:50:23 UTC
Red Hat Bugzilla 1146945 None None None Never
Red Hat Product Errata RHBA-2015:0441 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Internal Links: 1146945

Description Jakub Hrozek 2014-08-28 17:39:31 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1835

Since localauth plugin API is committed to MIT krb5 upstream, we need to implement the plugin to allow SSSD to expose trusted domains and UPN suffixes associated with our domain instead of configuring them manually.

https://github.com/krb5/krb5/commit/4216fb5b0e0abb80a3ccd8251abddc18435d81f3

Comment 1 Jakub Hrozek 2014-08-29 07:54:55 UTC
To reproduce:

1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing
2. verify a user can log in with GSSAPI (aka passwordless)
3. edit krb5.conf, remove the long regex in auth_to_local parameter
4. add this section instead:

[plugins]
localauth = {
 module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 enable_only = sssd
}
      
Please verify the plugin is indeed at that path, we had some discussions
upstream about the proper placement.

5. verify a user can still log in with GSSAPI without being propmted for
password even though the auth_to_local parameter is commented out.

Comment 2 Jakub Hrozek 2014-09-02 08:41:17 UTC
master:
    8a5e793a0576250da80371e53aa3e7eba15cdb63
    6b5044001e4b0a0caf971a2cf5f27674e0d270f4

Comment 3 Martin Kosek 2014-09-02 14:15:22 UTC
IPA part of this RFE:
https://fedorahosted.org/freeipa/ticket/4514

Comment 5 Jakub Hrozek 2014-09-29 09:25:16 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2449

Comment 6 Jakub Hrozek 2014-09-29 09:26:39 UTC
There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned.

Comment 7 Martin Kosek 2014-10-23 12:51:09 UTC
Proposed mechanism for automatic registration of the plugin on IdM clients:

https://fedorahosted.org/sssd/ticket/2473

Comment 8 Jakub Hrozek 2014-11-05 13:08:33 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2473

Comment 9 Jakub Hrozek 2014-11-25 12:41:55 UTC
The option was added to master:
4fa184e2c60b377fd71e0115a618bd68dc73627d

Comment 11 Steeve Goveas 2015-01-20 15:58:13 UTC
[root@sideswipe ~]# cat /etc/krb5.conf 
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IPABUGS.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 IPABUGS.TEST = {
  kdc = sideswipe.ipabugs.test:88
  master_kdc = sideswipe.ipabugs.test:88
  admin_server = sideswipe.ipabugs.test:749
  default_domain = ipabugs.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .ipabugs.test = IPABUGS.TEST
 ipabugs.test = IPABUGS.TEST

[dbmodules]
  IPABUGS.TEST = {
    db_library = ipadb.so
  }

[root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin 
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

[root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
-rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

[root@sideswipe ~]# kdestroy -A

[root@sideswipe ~]# echo Secret123 | kinit aduser1@ADTEST.QE
Password for aduser1@ADTEST.QE: 

[root@sideswipe ~]# ssh -l aduser1@adtest.qe `hostname` echo "login successful"
login successful
Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory

Verified in version
[root@sideswipe ~]# rpm -q sssd ipa-server
sssd-1.12.2-42.el7.x86_64
ipa-server-4.1.0-15.el7.x86_64

Comment 13 errata-xmlrpc 2015-03-05 10:33:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html


Note You need to log in before you can comment on or make changes to this bug.