Jakub Hrozek wrote:
On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote:
  
So the questions are:
- is there another cleaner way to exclude the localauth sssd plugin
(considering that the configuration snippet is recreated at every sssd
restart)?
        
Can you test if this hack would help:
   # service sssd stop
   # rm /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # touch /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # service sssd start
      
It works, thanks

    
btw also check out this ticket:
   https://fedorahosted.org/sssd/ticket/2788
      
not needing principal switching from/to root for the moment
    
Yes, sorry, wrong ticket:
    https://fedorahosted.org/sssd/ticket/2707

  

  

      
Maybe I wasn't clear in describing the setup.

I am attempting to log from a local machine as "userA"  using the
credentials of a "service principal" defined in IPA to a remote machine as
"userB"
The userB principal is resolvable on the remote host via "getent passwd
userB" because it is a user principal.
Also the userA principal is resolvable on the local machine, but this should
not play a role because the user's credentials are not used for the
connection, only the service credentials, as a client.
The service principal is not resolvable via "getent passwd" neither on the
originating host nor on the destination host.
The trick with .k5login is that the service principal used in the connection
is granted access as userB because it is listed as one of the principals
that correspond to the userB posix account on the remote host.
    
Thank you, then I think #2707 would help you because you could configure
that .k5login is still used.

  
Hi Jakub,
yes maybe it could help, even if I didn't find many details (bugzilla says I am not authorized to access the RedHat Bug 1240302  with  my bugzilla  account,  I  have tried also with our RedHat support licensed account) .
It seems having been filed for sssd 1.14 and RHEL7 , is there any hope that it will be implemented also for 6.7 or 6.8 ?  we can't upgrade to 7 for the IPA clients.
Bye
Stefano



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to