On Wed, Jul 06, 2016 at 04:59:36PM -0400, Jeffery Harrell wrote:
> Oh wow, I see. I did some playing around with
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a
> minimum-change scenario and found that this:
>
> [plugins]
> localauth = {
> module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> # enable_only = sssd
> }
>
> seems to get me where I need to be. Adding that one character seems to be
> enough to make .k5login work as expected.
>
> Specifically:
>
> Take a brand new IPA client, created with “ipa-client-install” and
> accepting the defaults.
>
> Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out
> the enable_only line as above.
>
> cat <<'EOF' > /root/.k5loginyourusern...@yourdomain.com
> EOF
>
> From another computer anywhere in the domain:
>
> kinit yourusern...@yourdomain.com
>
> Then:
>
> ssh -K root@wherever
>
> This works for me. I’ve got all my servers under Salt config management
> anyway, so it’s not *that* big a deal to add that one byte to each of them.
ok, make sense. As long as the target users are local (from /etc/passwd)
removing 'enable_only = sssd'. For IPA users sssd_krb5_localauth_plugin
would still act authoritative, i.e. you have to remove/comment-out it as
well if you want to use k5login for IPA user to IPA user.
Please note that SSSD will rewrite the file on restart, so you still
might want to use chattr +i to keep your changes.
>
> Thank you very, very much for the help.
You're welcome.
bye,
Sumit
>
>
>
>
> On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote:
>
> On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> > I must be missing something really obvious.
> >
> > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> > install ipa-server” and then an “ipa-server-install.” DNS is set up
> > correctly and is working.
> >
> > I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
> > install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
> > domain and server were normal.
> >
> > But k5login is not working as expected. If I have this .k5login file in
> the
> > admin user’s home directory on server A:
> >
> > alice@charlietango.com...@charlietango.com
> >
> > I would expect to be able to do this:
> >
> > kinit al...@charlietango.com
> > ssh -K admin@serverA
> >
> > from anywhere in the Kerberos realm. Instead my credentials get rejected
> > and I’m asked for the admin user’s password.
> >
> > It feels like sshd on the server isn’t even looking at k5login. (I also
> > tried k5users; same result.)
> >
> > The permissions on .k5login are correct. I tried it with SELinux off as
> > well just in case that was it.
> >
> > What blindingly obvious thing have I overlooked?
>
> I guess you have an issue similar to
> https://bugzilla.redhat.com/show_bug.cgi?id=1297462 . The localauth
> plugin provided by SSSD has too stricts default settings. One is the
> 'enable_only = sssd' option in the config snippet. The other is that it
> acts authoritative for SSSD users. A fix for both was just pushed
> upstream today.
>
> If you currently do not need the localauth plugin you can disable it by
> creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> file and make it unmodifiable with
>
> chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>
> This should allow the default methods including k5login again. Please
> note that you might need to add the old RULE based mapping as described
> in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
> or add .k5login files for every user to make GSSAPI authentication work
> smoothly.
>
> As an alternative we hope to release the next SSSD version including the
> patches anytime soon and later on there might be build for 7.2
> available.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks.
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
