Bug 1479283 - proxy to files does not work with implicit_files_domain
Summary: proxy to files does not work with implicit_files_domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-08 09:00 UTC by Petr Čech
Modified: 2020-05-02 18:51 UTC (History)
8 users (show)

Fixed In Version: sssd-1.16.0-4.fc25 sssd-1.16.0-5.fc27 sssd-1.16.0-4.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-11 23:22:23 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4613 0 None None None 2020-05-02 18:51:40 UTC

Description Petr Čech 2017-08-08 09:00:01 UTC
Description of problem:

Please, update blog post:
https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling-kinit-with-sssds-help/

I upgraded from F25 to F26 and I needed workaround for automatic kinit after login.

Version-Release number of selected component (if applicable):
sssd-1.15.2

My workaround:

If you have the same name of your local user as your kerberos user,
you can use this configuration of SSSD to reach atomatic `kinit` during
login proccess.

$ cat /etc/sssd/sssd.conf
[sssd]
domains = redhat.com
config_file_version = 2
services = nss,pam,ifp
default_domain_suffix = redhat.com

[ifp]
#debug_level = 10

[domain/redhat.com]
id_provider = proxy
proxy_lib_name = files

auth_provider = krb5
krb5_server = kerberos01.core.prod.int.ams2.redhat.com:88
krb5_realm = REDHAT.COM
krb5_store_password_if_offline = True

cache_credentials = True

Setup pam stack:
$ authconfig --enablenis --enablesssd --enablesssdauth --update

And reset SSSD:
$ systemctl restart sssd


When Lukas Slebodnik asked me for crating this BZ, he would like to see:
$ cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:      files nis sss systemd
shadow:     files nis sss
group:       files nis sss systemd
#initgroups: files

#hosts:     db files nisplus nis dns
hosts:      files mdns4_minimal [NOTFOUND=return] nis dns myhostname

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files nis sss

publickey:  nisplus

automount:  files nis sss
aliases:    files nisplus

Comment 1 Lukas Slebodnik 2017-08-08 09:46:59 UTC
I asked Petr to file a ticket so we can track it somewhere.
And the best place is fedora 26 due to default implicit_files_domain

Comment 2 Lukas Slebodnik 2017-08-08 10:10:52 UTC
BTW I woudl prefer to find another solution then setting "default_domain_suffix" which was not required on f25. Because it would return fqnames (user@implicit_files_domain) for local user with default f26 nsswitch.conf.

Comment 3 Jakub Hrozek 2017-08-08 10:15:59 UTC
I'm fine with updating the blog post.

But I wonder, since several users hit this problem already, if we should look into the configuration during startup (which we already do to see if there is an implicit files domain) and also check for a proxy domain proxying to files -- and if we find one, don't start the implicit domain. After all, the proxy domain is quite similar to the files domain..

Comment 4 Lukas Slebodnik 2017-08-08 10:18:39 UTC
(In reply to Jakub Hrozek from comment #3)
> I'm fine with updating the blog post.
> 
> But I wonder, since several users hit this problem already, if we should
> look into the configuration during startup (which we already do to see if
> there is an implicit files domain) and also check for a proxy domain
> proxying to files -- and if we find one, don't start the implicit domain.
> After all, the proxy domain is quite similar to the files domain..

That partially, make sense but sb need to investigate possible solutions/workarounds :-)

Comment 5 Petr Čech 2017-08-08 10:30:08 UTC
Sorry, the current version of sssd on my Fedora 26 is sssd-1.15.3.

Comment 6 Lukas Slebodnik 2017-08-16 13:27:32 UTC
We've just tested following configuration and it works.

$ cat /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss,pam

[domain/example.com]
id_provider = files
proxy_lib_name = files

auth_provider = krb5
krb5_server = kerberos01.example.com:88
krb5_realm = REDHAT.COM
krb5_store_password_if_offline = True

cache_credentials = True

But on the other hand there might be more users (still on f25) which use proxy to files. Therefore we might disable starting implicit_files_domain after detecting id_provider = proxy (to files)

Comment 7 Lukas Slebodnik 2017-11-30 09:04:25 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3590

Comment 8 Fedora Update System 2017-12-04 22:00:26 UTC
sssd-1.16.0-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c7b92556b

Comment 9 Fedora Update System 2017-12-04 22:06:34 UTC
sssd-1.16.0-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4286c0635d

Comment 10 Fedora Update System 2017-12-05 09:36:03 UTC
sssd-1.16.0-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9bbe262ea8

Comment 11 Lukas Slebodnik 2017-12-06 09:51:02 UTC
master:
* 34e5190f9a47e4a2e15d825123b33d42c7e72ccc
* 4928657ce937d6b08c79cfe267f206ca2db493c6
* 30621369bbf6c554401a20d84e447f872608bc53
* c987e58316f729f7682aa6843f1337f4a4575e07

Comment 12 Fedora Update System 2017-12-09 05:46:59 UTC
sssd-1.16.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9bbe262ea8

Comment 13 Fedora Update System 2017-12-09 07:27:16 UTC
sssd-1.16.0-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c7b92556b

Comment 14 Fedora Update System 2017-12-10 00:31:14 UTC
sssd-1.16.0-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4286c0635d

Comment 15 Fedora Update System 2017-12-11 23:22:23 UTC
sssd-1.16.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2017-12-12 11:25:34 UTC
sssd-1.16.0-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-12-12 13:43:29 UTC
sssd-1.16.0-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.