Created attachment 1479559 [details]
Video demonstrating login process
Description of problem:
I'm looking for a way to emulate the existing group account login system we are using within SSSD.
I believe this is an RFE as the features do not exist currently within SSSD
Version-Release number of selected component (if applicable): sssd-2.0
How Reproducible: Always
Steps to Reproduce:
These are the things that I'd like to perform.
1. Able to do local login with user "testuser" and a local password
2. Able to do a local login/unlock screen for user "testuser" using the Kerberos Principal and Kerberos Password of a third party (Kerberos Principal must be in ~/.k5login)
3. Able to do a local login/unlock screen for user "testuser" using the Kerberos Principal and Kerberos Password of a different person (Kerberos Principal must be in ~/.k5login)
4. Able to do a local login/unlock screen for user "testuser" via PKinit of a smartcard for a Kerberos Principal of yet another different person (Kerberos Principal must be in ~/.k5login)
Removal of user from ~/.k5login revokes their login/unlock access.
Attached video demonstrates steps 1-3 on the alternate pam_krb5
I find no clear way to configure SSSD to support Steps 2-4
Able to setup these complex login methods (SSSD already supports #1).
After login the user receives their own kerberos ticket and not the ticket of a previous user.
Kerberos ticket is stored according to default_ccache_name (or setting from pam_env KRB5CCNAME) from krb5.conf/[libdefaults]
Features provided by:
Builds off of: