1525052 – sssd_krb5_localauth_plugin fails to fallback to other localname rules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1525052 - sssd_krb5_localauth_plugin fails to fallback to other localname rules

Summary: sssd_krb5_localauth_plugin fails to fallback to other localname rules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Madhuri
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1559288
TreeView+	depends on / blocked

Reported:	2017-12-12 14:35 UTC by Brian J. Atkisson
Modified:	2021-06-10 13:55 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd-1.16.0-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1559288 (view as bug list)
Environment:
Last Closed:	2018-04-10 17:20:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Test program from the MIT Kerberos source tree srv/tests/localauth.c (2.39 KB, text/x-csrc) 2017-12-15 09:29 UTC, Sumit Bose	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4485	0	None	closed	Allow fallback from krb5_aname_to_localname to other krb5 plugins	2021-01-26 13:56:59 UTC
Red Hat Product Errata	RHEA-2018:0929	0	None	None	None	2018-04-10 17:21:33 UTC

Description Brian J. Atkisson 2017-12-12 14:35:29 UTC

Description of problem:

The sssd /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so plugin does not allow fallback to other localauth rules. This means that on a IPA-enrolled system, one cannot define kerberos auth_to_local rules in krb5.conf.  This has the impact of preventing kerberos trust from working correctly.  This issue has been fixed upstream, we just need it back-ported to RHEL 7.4:

======
commit 3f94a979eebd1c9496b49b4e07b7823550dec97e
Author: Sumit Bose <sbose>
Date:   Wed Aug 23 17:06:20 2017 +0200

   localauth plugin: change return code of sss_an2ln
      It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS
   to indicate that no mapping can be determined and other an2ln methods
   can be tried. Currently SSSD's localauth plugin returns
   KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin
   function.
      Resolves https://pagure.io/SSSD/sssd/issue/3459
      Reviewed-by: Jakub Hrozek <jhrozek>
   Reviewed-by: Fabiano Fidêncio <fidencio>

=======

Version-Release number of selected component (if applicable):

sssd-1.15.2-50.el7_4.6.x86_64
redhat-release-server-7.4-18.el7.x86_64

How reproducible:

Always


Steps to Reproduce:
1. Establish a kerberos bi-drectional trust between IdM and plain kerberos
2. define rules in krb5.conf, such as:

[realms]
  IPA.EXAMPLE.COM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
    auth_to_local = DEFAULT
  }

3. Attempt to ssh in using gssapi with a foreign principal (user).

Actual results:

Auth is not allowed.  If you:
echo "" > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin && chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin, then the user will be granted access.

Comment 3 Jakub Hrozek 2017-12-12 20:06:04 UTC

master:
    * b4e4553
    * 3f94a97

Comment 5 Jakub Hrozek 2017-12-12 20:08:37 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3459

Comment 7 Sumit Bose 2017-12-15 09:29:12 UTC

Created attachment 1368417 [details]
Test program from the MIT Kerberos source tree srv/tests/localauth.c

How to test:

Compile the attached test program from the MIT Kerberos source tree

    gcc -ggdb -Wall -Wextra /tmp/localauth.c  -o /tmp/localauth -lkrb5

Create a test krb5.conf file:

/tmp/krb5.conf:
[libdefaults]
 default_realm = ABC.DEF

[realms]
  ABC.DEF = {
    auth_to_local = RULE:[1:$1@$0](.*@ABC.DEF)s/@.*//
    auth_to_local = DEFAULT
  }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

Call the test program:

    $ KRB5_CONFIG=/tmp/krb5.conf /tmp/localauth xyz 
    xyz

If 'xyz' is returned the test passed. If something else or 'No translation available for requested principal' is returned the test failed because the auth_to_local rules was not reached.

If can force a failure by adding 'enable_only = sssd' after 'module = sssd:....'

Comment 8 Madhuri 2017-12-15 13:11:12 UTC

Verified with 
sssd-1.16.0-11.el7
sssd-client-1.16.0-11.el7

Verification steps:
1. Set up ldap server and kerberos server.
2. Configure sssd client with,
   id_provider = ldap
   auth_provider =krb5

3. Check the user look up.
# getent passwd testuser1
testuser1:*:2001:2001:Test User1:/home/testuser1:/bin/bash

4. Create the localauth.c

5. Compile localauth.c
#gcc -ggdb -Wall -Wextra localauth.c  -o localauth -lkrb5

6. /etc/krb.conf

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = vm-idm-004.lab.eng.pnq.redhat.com
  admin_server = vm-idm-004.lab.eng.pnq.redhat.com
  auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
  auth_to_local = DEFAULT
 }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

7. Check
# ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

8. Call the test program,
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
xyz

xyz returned, so test passed successfully.

9. Negative testing
 
Add ‘enable_only = sssd’

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

10. Call the program
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
No translation available for requested principal

Test failed, as expected.

Comment 23 errata-xmlrpc 2018-04-10 17:20:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.