Bug 714600 - ipa-client-install should configure sssd to store password if offline
Summary: ipa-client-install should configure sssd to store password if offline
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-20 08:36 UTC by Marko Myllynen
Modified: 2015-01-04 23:49 UTC (History)
5 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: The default sssd configuration does not store passwords if offline. Consequence: If the machine is disconnected from the network sssd will be unable to authenticate users. Fix: Set krb5_store_password_if_offline to True in sssd.conf by default. There is an ipa-client-install option --no-krb5-offline-passwords if this is not desired. Result: Passwords are stored by default.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:36:08 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Marko Myllynen 2011-06-20 08:36:07 UTC
Description of problem:
A common use case is when a user logs in while offline, then goes online (e.g., after establishing a VPN connection) and then tries to access IPA hosts/services. This fails currently because no Kerberos ticket is available after an offline login. It would be nice if ipa-client-install would configure (at least optionally) SSSD to store password if offline (i.e., set krb5_store_password_if_offline in sssd.conf for the domain).

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Rob Crittenden 2011-06-20 16:12:16 UTC
https://fedorahosted.org/freeipa/ticket/1359

Comment 3 Rob Crittenden 2011-08-01 20:16:36 UTC
master: 1c5028c17df9dc903a6db2712738670c3534246f

Comment 6 Namita Soman 2011-10-14 19:30:15 UTC
Installed client using command:
 ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w <xxx>

sssd.conf has krb5_store_password_if_offline = True

Verified request above using steps below::
1. Logged in as user test
2. kdestroy - no cached cred.
3. Client's network is stopped
4. log out user test
5. log back user test
6. And user test can log in offline
7. klist shows:
Ticket cache: FILE:/tmp/krb5cc_618800003_nNXtCe
Default principal: one@TESTRELM

Valid starting     Expires            Service principal
12/31/69 19:00:00  12/31/69 19:00:00  krbtgt/TESTRELM@TESTRELM
8. Restarted network service
9. After a few minutes, klist shows:
Ticket cache: FILE:/tmp/krb5cc_618800003_nNXtCe
Default principal: one@TESTRELM

Valid starting     Expires            Service principal
10/14/11 15:11:10  10/15/11 15:11:10  krbtgt/TESTRELM@TESTRELM
10. Can ssh as this user to master, without being prompted to reenter password.

Verified using ipa-client-2.1.2-2.el6.x86_64

Comment 7 Rob Crittenden 2011-10-31 20:19:41 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The default sssd configuration does not store passwords if offline.
Consequence: If the machine is disconnected from the network sssd will be unable to authenticate users.
Fix: Set krb5_store_password_if_offline to True in sssd.conf by default. There is an ipa-client-install option --no-krb5-offline-passwords if this is not desired.
Result: Passwords are stored by default.

Comment 8 errata-xmlrpc 2011-12-06 18:36:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.