** Description changed: Please enable the sssd-secrets service. This needs the MIR for http- parser (#1638957) to pass. + [Rationale] + From the MIR bug (#1638957): + The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry. + + The secrets service can be used as a generic key/value database for + secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos + Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option + to store the credentials in a cache that persists reboots, as opposed to + when it's stored in the kernel keyring or in /tmp, when that is a tmpfs. + + sssd-secrets can also use a remote Custodia + [https://github.com/simo5/custodia] (in Universe) server to store its + secrets there. + + sssd-secrets is unix socket activated and won't be running until there + is a connection to that socket. + + [Testing] - This is the testing that was done. - During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315). + This is the testing that was done. Only the local store was tested, not the Custodia remote server case. + + During testing, I found a related bug and filed a bug in debian about it + with a related MP in salsa (https://bugs.debian.org/892315). Quick simple test ================= sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 sudo apt install sssd # Store a secret $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo <html> <head> <title>200 OK</title></head> <body> <h1>OK</h1> <p>Success</p> </body> # retrieve the secret $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo { - "type": "simple", - "value": "foosecret" + "type": "simple", + "value": "foosecret" } # try to retrieve the same secret but as a different user won't work because secrets are per user $ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo <html> <head> <title>404 Not Found</title></head> <body> <h1>Not Found</h1> <p>The requested resource was not found.</p> </body> Extended test ============= This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager). sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 sudo apt install sssd sssd-kcm # use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted sudo apt install krb5-user krb5-kdc krb5-admin-server # the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want sudo krb5_newrealm # create a kerberos principal. This uses "secret" as a password sudo kadmin.local -q "addprinc -pw secret ubuntu" # edit /etc/krb5.conf and tell the library to use KCM by default [libdefaults] - default_ccache_name = KCM: # <-- add this line + default_ccache_name = KCM: # <-- add this line # create /etc/sssd/sssd.conf with these contents: [sssd] config_file_version = 2 services = pam domains = example.com [pam] [domain/example.com] id_provider = proxy proxy_lib_name = files auth_provider = krb5 krb5_server = localhost krb5_realm = EXAMPLE.COM # adjust permissions sudo chmod 0600 /etc/sssd/sssd.conf sudo chown root:root /etc/sssd/sssd.conf # (re)start sssd sudo systemctl restart sssd # test getting a ticket for "ubuntu". Notice how the cache is using "KCM": ubuntu@bionic-sssd-http-parser:~$ kinit Password for [email protected]: ubuntu@bionic-sssd-http-parser:~$ klist Ticket cache: KCM:1000 Default principal: [email protected] Valid starting Expires Service principal 03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/[email protected] - renew until 03/09/18 13:09:10 + renew until 03/09/18 13:09:10 # install ldb-tools sudo apt install ldb-tools # perform a search on the secrets database to see the entry created by kcm $ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn # record 1 dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm # record 2 dn: cn=ccache,cn=1000,cn=persistent,cn=kcm # returned 2 records # 2 entries # 0 referrals # destroy the kerberos ticket and confirm it's gone from the secrets database ubuntu@bionic-sssd-http-parser:~$ kdestroy ubuntu@bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn # returned 0 records # 0 entries # 0 referrals
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754365 Title: [FFe]: Enable sssd-secrets service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1754365/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
