Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1525052

Summary: sssd_krb5_localauth_plugin fails to fallback to other localname rules
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Atkisson <batkisso>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Madhuri <mupadhye>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: batkisso, enewland, fidencio, grajaiya, jhrozek, lslebodn, mkosek, msauton, mzidek, nsoman, pbrezina, sbose, sgoveas, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1559288 (view as bug list) Environment:
Last Closed: 2018-04-10 17:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1559288    
Attachments:
Description Flags
Test program from the MIT Kerberos source tree srv/tests/localauth.c none

Description Brian J. Atkisson 2017-12-12 14:35:29 UTC 
Description of problem:

The sssd /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so plugin does not allow fallback to other localauth rules. This means that on a IPA-enrolled system, one cannot define kerberos auth_to_local rules in krb5.conf.  This has the impact of preventing kerberos trust from working correctly.  This issue has been fixed upstream, we just need it back-ported to RHEL 7.4:

======
commit 3f94a979eebd1c9496b49b4e07b7823550dec97e
Author: Sumit Bose <sbose>
Date:   Wed Aug 23 17:06:20 2017 +0200

   localauth plugin: change return code of sss_an2ln
      It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS
   to indicate that no mapping can be determined and other an2ln methods
   can be tried. Currently SSSD's localauth plugin returns
   KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin
   function.
      Resolves https://pagure.io/SSSD/sssd/issue/3459
      Reviewed-by: Jakub Hrozek <jhrozek>
   Reviewed-by: Fabiano Fidêncio <fidencio>

=======

Version-Release number of selected component (if applicable):

sssd-1.15.2-50.el7_4.6.x86_64
redhat-release-server-7.4-18.el7.x86_64

How reproducible:

Always


Steps to Reproduce:
1. Establish a kerberos bi-drectional trust between IdM and plain kerberos
2. define rules in krb5.conf, such as:

[realms]
  IPA.EXAMPLE.COM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
    auth_to_local = DEFAULT
  }

3. Attempt to ssh in using gssapi with a foreign principal (user).

Actual results:

Auth is not allowed.  If you:
echo "" > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin && chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin, then the user will be granted access.
Comment 3 Jakub Hrozek 2017-12-12 20:06:04 UTC 
master:
    * b4e4553
    * 3f94a97
Comment 5 Jakub Hrozek 2017-12-12 20:08:37 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3459
Comment 7 Sumit Bose 2017-12-15 09:29:12 UTC 
Created attachment 1368417 [details]
Test program from the MIT Kerberos source tree srv/tests/localauth.c

How to test:

Compile the attached test program from the MIT Kerberos source tree

    gcc -ggdb -Wall -Wextra /tmp/localauth.c  -o /tmp/localauth -lkrb5

Create a test krb5.conf file:

/tmp/krb5.conf:
[libdefaults]
 default_realm = ABC.DEF

[realms]
  ABC.DEF = {
    auth_to_local = RULE:[1:$1@$0](.*@ABC.DEF)s/@.*//
    auth_to_local = DEFAULT
  }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

Call the test program:

    $ KRB5_CONFIG=/tmp/krb5.conf /tmp/localauth xyz 
    xyz

If 'xyz' is returned the test passed. If something else or 'No translation available for requested principal' is returned the test failed because the auth_to_local rules was not reached.

If can force a failure by adding 'enable_only = sssd' after 'module = sssd:....'
Comment 8 Madhuri 2017-12-15 13:11:12 UTC 
Verified with 
sssd-1.16.0-11.el7
sssd-client-1.16.0-11.el7

Verification steps:
1. Set up ldap server and kerberos server.
2. Configure sssd client with,
   id_provider = ldap
   auth_provider =krb5

3. Check the user look up.
# getent passwd testuser1
testuser1:*:2001:2001:Test User1:/home/testuser1:/bin/bash

4. Create the localauth.c

5. Compile localauth.c
#gcc -ggdb -Wall -Wextra localauth.c  -o localauth -lkrb5

6. /etc/krb.conf

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = vm-idm-004.lab.eng.pnq.redhat.com
  admin_server = vm-idm-004.lab.eng.pnq.redhat.com
  auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
  auth_to_local = DEFAULT
 }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

7. Check
# ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

8. Call the test program,
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
xyz

xyz returned, so test passed successfully.

9. Negative testing
 
Add ‘enable_only = sssd’

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

10. Call the program
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz
No translation available for requested principal

Test failed, as expected.
Comment 23 errata-xmlrpc 2018-04-10 17:20:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929