Oh wow, I see. I did some playing around with
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a
minimum-change scenario and found that this:

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
#  enable_only = sssd
 }

seems to get me where I need to be. Adding that one character seems to be
enough to make .k5login work as expected.

Specifically:

Take a brand new IPA client, created with “ipa-client-install” and
accepting the defaults.

Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out
the enable_only line as above.

cat <<'EOF' > /root/.k5loginyourusern...@yourdomain.com
EOF

>From another computer anywhere in the domain:

kinit yourusern...@yourdomain.com

Then:

ssh -K root@wherever

This works for me. I’ve got all my servers under Salt config management
anyway, so it’s not *that* big a deal to add that one byte to each of them.

Thank you very, very much for the help.




On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote:

On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> I must be missing something really obvious.
>
> Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> install ipa-server” and then an “ipa-server-install.” DNS is set up
> correctly and is working.
>
> I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
> install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
> domain and server were normal.
>
> But k5login is not working as expected. If I have this .k5login file in
the
> admin user’s home directory on server A:
>
> alice@charlietango.com...@charlietango.com
>
> I would expect to be able to do this:
>
> kinit al...@charlietango.com
> ssh -K admin@serverA
>
> from anywhere in the Kerberos realm. Instead my credentials get rejected
> and I’m asked for the admin user’s password.
>
> It feels like sshd on the server isn’t even looking at k5login. (I also
> tried k5users; same result.)
>
> The permissions on .k5login are correct. I tried it with SELinux off as
> well just in case that was it.
>
> What blindingly obvious thing have I overlooked?

I guess you have an issue similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth
plugin provided by SSSD has too stricts default settings. One is the
'enable_only = sssd' option in the config snippet. The other is that it
acts authoritative for SSSD users. A fix for both was just pushed
upstream today.

If you currently do not need the localauth plugin you can disable it by
creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
file and make it unmodifiable with

chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin

This should allow the default methods including k5login again. Please
note that you might need to add the old RULE based mapping as described
in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
or add .k5login files for every user to make GSSAPI authentication work
smoothly.

As an alternative we hope to release the next SSSD version including the
patches anytime soon and later on there might be build for 7.2
available.

HTH

bye,
Sumit

>
> Thanks.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to