Bug 1135043 - [RFE] Implement localauth plugin for MIT krb5 1.12
Summary: [RFE] Implement localauth plugin for MIT krb5 1.12
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
Depends On:
Blocks: 1168357
TreeView+ depends on / blocked
Reported: 2014-08-28 17:39 UTC by Jakub Hrozek
Modified: 2020-05-02 17:50 UTC (History)
11 users (show)

Fixed In Version: sssd-1.12.2-24.el7
Doc Type: Enhancement
Doc Text:
Feature: The SSSD now provides a Kerberos plugin that helps to map Kerberos principals to local SSSD user names. Reason: Normally, there is no standardized way to map a Kerberos principal to a UNIX username. There are several methods, like using a .k5login file or auth_to_local regular expression in the krb5.conf file, but all are difficult to use. Result: With the help of this new localauth plugin, Active Directory users in a setup with AD trusts will be able to log in a passwordless manner to an IPA client without having to configure the auth_to_local rule or the .k5login file.
Clone Of:
: 1168357 (view as bug list)
Last Closed: 2015-03-05 10:33:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2877 None closed [RFE] Implement localauth plugin for MIT krb5 1.12 2020-05-02 17:17:52 UTC
Github SSSD sssd issues 3515 None None None 2020-05-02 17:50:23 UTC
Red Hat Bugzilla 1146945 None None None Never
Red Hat Product Errata RHBA-2015:0441 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-03-05 15:05:27 UTC

Internal Links: 1146945

Description Jakub Hrozek 2014-08-28 17:39:31 UTC
This bug is created as a clone of upstream ticket:

Since localauth plugin API is committed to MIT krb5 upstream, we need to implement the plugin to allow SSSD to expose trusted domains and UPN suffixes associated with our domain instead of configuring them manually.


Comment 1 Jakub Hrozek 2014-08-29 07:54:55 UTC
To reproduce:

1. set up AD-IPA trusts. I used http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup for testing
2. verify a user can log in with GSSAPI (aka passwordless)
3. edit krb5.conf, remove the long regex in auth_to_local parameter
4. add this section instead:

localauth = {
 module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 enable_only = sssd
Please verify the plugin is indeed at that path, we had some discussions
upstream about the proper placement.

5. verify a user can still log in with GSSAPI without being propmted for
password even though the auth_to_local parameter is commented out.

Comment 2 Jakub Hrozek 2014-09-02 08:41:17 UTC

Comment 3 Martin Kosek 2014-09-02 14:15:22 UTC
IPA part of this RFE:

Comment 5 Jakub Hrozek 2014-09-29 09:25:16 UTC
Upstream ticket:

Comment 6 Jakub Hrozek 2014-09-29 09:26:39 UTC
There is another requirement to include the directory krb5 will create as part of fix for #1146945. I'm moving the bugzilla back to assigned.

Comment 7 Martin Kosek 2014-10-23 12:51:09 UTC
Proposed mechanism for automatic registration of the plugin on IdM clients:


Comment 8 Jakub Hrozek 2014-11-05 13:08:33 UTC
Upstream ticket:

Comment 9 Jakub Hrozek 2014-11-25 12:41:55 UTC
The option was added to master:

Comment 11 Steeve Goveas 2015-01-20 15:58:13 UTC
[root@sideswipe ~]# cat /etc/krb5.conf 
includedir /var/lib/sss/pubconf/krb5.include.d/

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = IPABUGS.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

  kdc = sideswipe.ipabugs.test:88
  master_kdc = sideswipe.ipabugs.test:88
  admin_server = sideswipe.ipabugs.test:749
  default_domain = ipabugs.test
  pkinit_anchors = FILE:/etc/ipa/ca.crt

 .ipabugs.test = IPABUGS.TEST
 ipabugs.test = IPABUGS.TEST

    db_library = ipadb.so

[root@sideswipe ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin 
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd

[root@sideswipe ~]# ls -l /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
-rwxr-xr-x. 1 root root 28704 Jan 14 19:36 /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

[root@sideswipe ~]# kdestroy -A

[root@sideswipe ~]# echo Secret123 | kinit aduser1@ADTEST.QE
Password for aduser1@ADTEST.QE: 

[root@sideswipe ~]# ssh -l aduser1@adtest.qe `hostname` echo "login successful"
login successful
Could not chdir to home directory /home/adtest.qe/aduser1: No such file or directory

Verified in version
[root@sideswipe ~]# rpm -q sssd ipa-server

Comment 13 errata-xmlrpc 2015-03-05 10:33:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.