Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

Tue, 08 Dec 2015 06:29:30 -0800

Sumit Bose wrote: 
On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote:
  
So the questions are:
- is there another cleaner way to exclude the localauth sssd plugin
(considering that the configuration snippet is recreated at every sssd
restart)?
        
Can you test if this hack would help:
   # service sssd stop
   # rm /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # touch /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
   # service sssd start
      
It works, thanks
    
Thank you for testing. The steps above disable the creation of the
localauth_plugin file by SSSD since the file already exists and is
immutable. SSSD tries to write:

[plugins]
 localauth = {
  module = sssd:/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
  enable_only = sssd
 }

into this file to enable SSSD's localauth plugin. When I wrote the patch
for this I guess I over-optimistically added 'enable_only = sssd' which
disables all the default schemes available in libkrb5. I wonder if you
can create /var/lib/sss/pubconf/krb5.include.d/localauth_plugin with
this line missing:

[plugins]
 localauth = {
  module = sssd:/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
 }

and try again? You might need to make it mutable again which 'chattr -i'
and after editing it call 'chattr +i' again so the SSSD cannot write
it's own version. If the version without 'enable_only = sssd' works for
you I think I will prepare a patch for SSSD which does not add this line
be default which then should fix your issue and other .k5login related
tickets we have in trac.
Hi Sumit
yes it works commenting out the  line 'enable_only = sssd' and making the file immutable , namely the .k5login file is read and enforced.
But respect to the solution emptying completely the snippet, it is lost the possibility to perform the same enforcement via an 'auth_to_local_names' entry in /etc/krb5.conf for the given realm in which the service  principal is mapped onto the destination posix account
Stefano

Thank you for for help.

bye,
Sumit
  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to