> The MIT Kerberos library tries to use every pre-authentication plugin it > can find in /usr/lib/krb5/plugins/preauth . Plugins which need some > options, like the pkinit plugin, will only work it the options are > given. So you can disable pkinit completely for a host if you remove the > plugin or the options from krb5.conf. But I think this is not what you > want.
Hmm, yeah well no, that's not what I want. Since the users use their card to login and get a kerberos ticket though pkinit i need the pkinit options in krb5.conf > I would be possible to overwrite the pre-authentication settings from > krb5.conf, but so far sssd does not do it to be able to fall back to the krb5.conf settings. Mm that's what i figure... > In general I think it would be a good idea to have a sssd.conf config > option to specify which pre-authentication plugins should be used with > the special value 'None' to disable all plugins and do not fall back > to krb5.conf. > If this option is not specified the settings from krb5.conf > will be used. Would you mind to file an enhancement request for this? Yes, that definitely sounds like a good and reasonable request, I'll make that first thing in the morning. I guess i can bind with user/pw until that feature is built in. I'm trying to think of another workaround but I can't really come up with anything. It's a shame that I just can't tell sssd to use another krb5.conf, or any kerberized application for that matter. Thanks for the help! Best regards, Patrik Martinsson, Sweden. On Mon, 2010-12-13 at 20:50 +0100, Sumit Bose wrote: > On Mon, Dec 13, 2010 at 06:48:55PM +0100, Patrik Martinsson wrote: > > Hello, > > > > Quick question, in our krb5.conf we have defined > > pkinit_identities = PKCS11:/path_to_smartcard_lib > > pkinit_anchors = FILE:/path_to_cert > > to allow people to get a kerberos ticket whenever they login. > > > > Now, we also configured sssd to use kerberos as authentication method, > > which means sssd will try to do a pkinit to get the kerberos ticket > > (that is, when sssd makes a kinit to get a ticket, it will use the > > krb5.conf defaults and try to do a kinit with pkinit enabled, which will > > fail). > > > > Now, my question is, can i make sssd to not use pkinit when doing a kinit ? > > Does that makes sense ? > > The MIT Kerberos library tries to use every pre-authentication plugin it > can find in /usr/lib/krb5/plugins/preauth . Plugins which need some > options, like the pkinit plugin, will only work it the options are > given. So you can disable pkinit completely for a host if you remove the > plugin or the options from krb5.conf. But I think this is not what you > want. > > I would be possible to overwrite the pre-authentication settings from > krb5.conf, but so far sssd does not do it to be able to fall back to the > krb5.conf settings. > > In general I think it would be a good idea to have a sssd.conf config > option to specify which pre-authentication plugins should be used with > the special value 'None' to disable all plugins and do not fall back to > krb5.conf. If this option is not specified the settings from krb5.conf > will be used. Would you mind to file an enhancement request for this? > > bye, > Sumit > > > > > > > Any suggestions are welcome. > > > > Best regards, > > Patrik Martinsson, Sweden. > > > > > > _______________________________________________ > > sssd-devel mailing list > > [email protected] > > https://fedorahosted.org/mailman/listinfo/sssd-devel > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
