On Tue, Dec 08, 2015 at 02:30:54PM +0100, Stefano Cortese wrote: > Jakub Hrozek wrote: > > On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > > > So the questions are: > - is there another cleaner way to exclude the localauth sssd plugin > (considering that the configuration snippet is recreated at every sssd > restart)? > > > Can you test if this hack would help: > # service sssd stop > # rm /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > # touch /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > # chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > # service sssd start > > > It works, thanks > > > > btw also check out this ticket: > [1]https://fedorahosted.org/sssd/ticket/2788 > > > not needing principal switching from/to root for the moment > > > Yes, sorry, wrong ticket: > [2]https://fedorahosted.org/sssd/ticket/2707 > > > > > > Maybe I wasn't clear in describing the setup. > > I am attempting to log from a local machine as "userA" using the > credentials of a "service principal" defined in IPA to a remote machine as > "userB" > The userB principal is resolvable on the remote host via "getent passwd > userB" because it is a user principal. > Also the userA principal is resolvable on the local machine, but this should > not play a role because the user's credentials are not used for the > connection, only the service credentials, as a client. > The service principal is not resolvable via "getent passwd" neither on the > originating host nor on the destination host. > The trick with .k5login is that the service principal used in the connection > is granted access as userB because it is listed as one of the principals > that correspond to the userB posix account on the remote host. > > > Thank you, then I think #2707 would help you because you could configure > that .k5login is still used. > > > > Hi Jakub, > yes maybe it could help, even if I didn't find many details (bugzilla says > I am not authorized to access the RedHat Bug 1240302 with my bugzilla > account, I have tried also with our RedHat support licensed account) .
Try now, there is nothing confidential in the bug, so I opened it. (I'm afraid there's nothing useful either, but the BZ might be useful in referencing for support..) > It seems having been filed for sssd 1.14 and RHEL7 , is there any hope > that it will be implemented also for 6.7 or 6.8 ? we can't upgrade to 7 > for the IPA clients. > Bye > Stefano I can't promise anything because the scope of the changes is not totally clear, but can you please open a support case asking for the change in RHEL-6? Feel free to send me the case number, then. It might also be helpful to include why the workaround is not helpful/not feasible to you, because RHEL-6 already getting quite late in the cycle, so all changes should be justified.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
