On Mon, Dec 13, 2010 at 06:48:55PM +0100, Patrik Martinsson wrote: > Hello, > > Quick question, in our krb5.conf we have defined > pkinit_identities = PKCS11:/path_to_smartcard_lib > pkinit_anchors = FILE:/path_to_cert > to allow people to get a kerberos ticket whenever they login. > > Now, we also configured sssd to use kerberos as authentication method, > which means sssd will try to do a pkinit to get the kerberos ticket > (that is, when sssd makes a kinit to get a ticket, it will use the > krb5.conf defaults and try to do a kinit with pkinit enabled, which will > fail). > > Now, my question is, can i make sssd to not use pkinit when doing a kinit ? > Does that makes sense ?
The MIT Kerberos library tries to use every pre-authentication plugin it can find in /usr/lib/krb5/plugins/preauth . Plugins which need some options, like the pkinit plugin, will only work it the options are given. So you can disable pkinit completely for a host if you remove the plugin or the options from krb5.conf. But I think this is not what you want. I would be possible to overwrite the pre-authentication settings from krb5.conf, but so far sssd does not do it to be able to fall back to the krb5.conf settings. In general I think it would be a good idea to have a sssd.conf config option to specify which pre-authentication plugins should be used with the special value 'None' to disable all plugins and do not fall back to krb5.conf. If this option is not specified the settings from krb5.conf will be used. Would you mind to file an enhancement request for this? bye, Sumit > > Any suggestions are welcome. > > Best regards, > Patrik Martinsson, Sweden. > > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
