Bug 1525052 - sssd_krb5_localauth_plugin fails to fallback to other localname rules
Summary: sssd_krb5_localauth_plugin fails to fallback to other localname rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Madhuri
URL:
Whiteboard:
Depends On:
Blocks: 1559288
TreeView+ depends on / blocked
 
Reported: 2017-12-12 14:35 UTC by Brian J. Atkisson
Modified: 2018-05-02 11:23 UTC (History)
14 users (show)

Fixed In Version: sssd-1.16.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1559288 (view as bug list)
Environment:
Last Closed: 2018-04-10 17:20:30 UTC


Attachments (Terms of Use)
Test program from the MIT Kerberos source tree srv/tests/localauth.c (2.39 KB, text/x-csrc)
2017-12-15 09:29 UTC, Sumit Bose
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0929 None None None 2018-04-10 17:21:33 UTC

Description Brian J. Atkisson 2017-12-12 14:35:29 UTC
Description of problem:

The sssd /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so plugin does not allow fallback to other localauth rules. This means that on a IPA-enrolled system, one cannot define kerberos auth_to_local rules in krb5.conf.  This has the impact of preventing kerberos trust from working correctly.  This issue has been fixed upstream, we just need it back-ported to RHEL 7.4:

======
commit 3f94a979eebd1c9496b49b4e07b7823550dec97e
Author: Sumit Bose <sbose@redhat.com>
Date:   Wed Aug 23 17:06:20 2017 +0200

   localauth plugin: change return code of sss_an2ln
      It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS
   to indicate that no mapping can be determined and other an2ln methods
   can be tried. Currently SSSD's localauth plugin returns
   KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin
   function.
      Resolves https://pagure.io/SSSD/sssd/issue/3459
      Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
   Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

=======

Version-Release number of selected component (if applicable):

sssd-1.15.2-50.el7_4.6.x86_64
redhat-release-server-7.4-18.el7.x86_64

How reproducible:

Always


Steps to Reproduce:
1. Establish a kerberos bi-drectional trust between IdM and plain kerberos
2. define rules in krb5.conf, such as:

[realms]
  IPA.EXAMPLE.COM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
    auth_to_local = DEFAULT
  }

3. Attempt to ssh in using gssapi with a foreign principal (user@EXAMPLE.COM).

Actual results:

Auth is not allowed.  If you:
echo "" > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin && chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin, then the user will be granted access.

Comment 3 Jakub Hrozek 2017-12-12 20:06:04 UTC
master:
    * b4e4553
    * 3f94a97

Comment 5 Jakub Hrozek 2017-12-12 20:08:37 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3459

Comment 7 Sumit Bose 2017-12-15 09:29:12 UTC
Created attachment 1368417 [details]
Test program from the MIT Kerberos source tree srv/tests/localauth.c

How to test:

Compile the attached test program from the MIT Kerberos source tree

    gcc -ggdb -Wall -Wextra /tmp/localauth.c  -o /tmp/localauth -lkrb5

Create a test krb5.conf file:

/tmp/krb5.conf:
[libdefaults]
 default_realm = ABC.DEF

[realms]
  ABC.DEF = {
    auth_to_local = RULE:[1:$1@$0](.*@ABC.DEF)s/@.*//
    auth_to_local = DEFAULT
  }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

Call the test program:

    $ KRB5_CONFIG=/tmp/krb5.conf /tmp/localauth xyz@ABC.DEF 
    xyz

If 'xyz' is returned the test passed. If something else or 'No translation available for requested principal' is returned the test failed because the auth_to_local rules was not reached.

If can force a failure by adding 'enable_only = sssd' after 'module = sssd:....'

Comment 8 Madhuri 2017-12-15 13:11:12 UTC
Verified with 
sssd-1.16.0-11.el7
sssd-client-1.16.0-11.el7

Verification steps:
1. Set up ldap server and kerberos server.
2. Configure sssd client with,
   id_provider = ldap
   auth_provider =krb5

3. Check the user look up.
# getent passwd testuser1
testuser1:*:2001:2001:Test User1:/home/testuser1:/bin/bash

4. Create the localauth.c

5. Compile localauth.c
#gcc -ggdb -Wall -Wextra localauth.c  -o localauth -lkrb5

6. /etc/krb.conf

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = vm-idm-004.lab.eng.pnq.redhat.com
  admin_server = vm-idm-004.lab.eng.pnq.redhat.com
  auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
  auth_to_local = DEFAULT
 }

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }

7. Check
# ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so

8. Call the test program,
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz@EXAMPLE.COM
xyz

xyz returned, so test passed successfully.

9. Negative testing
 
Add ‘enable_only = sssd’

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

10. Call the program
# KRB5_CONFIG=/etc/krb5.conf ./localauth xyz@EXAMPLE.COM
No translation available for requested principal

Test failed, as expected.

Comment 23 errata-xmlrpc 2018-04-10 17:20:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929


Note You need to log in before you can comment on or make changes to this bug.