Red Hat Bugzilla – Bug 1525052
sssd_krb5_localauth_plugin fails to fallback to other localname rules
Last modified: 2018-05-02 07:23:17 EDT
Description of problem: The sssd /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so plugin does not allow fallback to other localauth rules. This means that on a IPA-enrolled system, one cannot define kerberos auth_to_local rules in krb5.conf. This has the impact of preventing kerberos trust from working correctly. This issue has been fixed upstream, we just need it back-ported to RHEL 7.4: ====== commit 3f94a979eebd1c9496b49b4e07b7823550dec97e Author: Sumit Bose <sbose@redhat.com> Date: Wed Aug 23 17:06:20 2017 +0200 localauth plugin: change return code of sss_an2ln It is expected that the an2ln plugin function returns KRB5_LNAME_NOTRANS to indicate that no mapping can be determined and other an2ln methods can be tried. Currently SSSD's localauth plugin returns KRB5_PLUGIN_NO_HANDLE which sould only be used for the userok plugin function. Resolves https://pagure.io/SSSD/sssd/issue/3459 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> ======= Version-Release number of selected component (if applicable): sssd-1.15.2-50.el7_4.6.x86_64 redhat-release-server-7.4-18.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Establish a kerberos bi-drectional trust between IdM and plain kerberos 2. define rules in krb5.conf, such as: [realms] IPA.EXAMPLE.COM = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// auth_to_local = DEFAULT } 3. Attempt to ssh in using gssapi with a foreign principal (user@EXAMPLE.COM). Actual results: Auth is not allowed. If you: echo "" > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin && chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin, then the user will be granted access.
master: * b4e4553 * 3f94a97
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3459
Created attachment 1368417 [details] Test program from the MIT Kerberos source tree srv/tests/localauth.c How to test: Compile the attached test program from the MIT Kerberos source tree gcc -ggdb -Wall -Wextra /tmp/localauth.c -o /tmp/localauth -lkrb5 Create a test krb5.conf file: /tmp/krb5.conf: [libdefaults] default_realm = ABC.DEF [realms] ABC.DEF = { auth_to_local = RULE:[1:$1@$0](.*@ABC.DEF)s/@.*// auth_to_local = DEFAULT } [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so } Call the test program: $ KRB5_CONFIG=/tmp/krb5.conf /tmp/localauth xyz@ABC.DEF xyz If 'xyz' is returned the test passed. If something else or 'No translation available for requested principal' is returned the test failed because the auth_to_local rules was not reached. If can force a failure by adding 'enable_only = sssd' after 'module = sssd:....'
Verified with sssd-1.16.0-11.el7 sssd-client-1.16.0-11.el7 Verification steps: 1. Set up ldap server and kerberos server. 2. Configure sssd client with, id_provider = ldap auth_provider =krb5 3. Check the user look up. # getent passwd testuser1 testuser1:*:2001:2001:Test User1:/home/testuser1:/bin/bash 4. Create the localauth.c 5. Compile localauth.c #gcc -ggdb -Wall -Wextra localauth.c -o localauth -lkrb5 6. /etc/krb.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = vm-idm-004.lab.eng.pnq.redhat.com admin_server = vm-idm-004.lab.eng.pnq.redhat.com auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// auth_to_local = DEFAULT } [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so } 7. Check # ls /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so 8. Call the test program, # KRB5_CONFIG=/etc/krb5.conf ./localauth xyz@EXAMPLE.COM xyz xyz returned, so test passed successfully. 9. Negative testing Add ‘enable_only = sssd’ [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so enable_only = sssd } 10. Call the program # KRB5_CONFIG=/etc/krb5.conf ./localauth xyz@EXAMPLE.COM No translation available for requested principal Test failed, as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929