[Freeipa-devel] [PATCH] sssd: kerberos backend

Mon Apr 6 11:56:27 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo Sorce wrote:
> On Sat, 2009-04-04 at 23:30 +0200, Sumit Bose wrote:
>> Hi,
>>
>> the following series of patches introduces a kerberos backend to sssd.
>>
>> 0001: a small locator plugin to find the realm name and the kdc. This
>> is
>>  useful for testing, because you do not have to modify your krb5.conf
>> and later on we can hook this plugin to the utility which will do the
>> DNS queries and cache the results or future use. So far it check the
>> environment variable SSSD_REALM and SSSD_KDC. So please set them
>> appropriate before starting sssd. (SSSD_KDC should be an IP address
>> and
>> not a hostname).
> 
> This is very useful, thanks.
> We should probably use a (mmaped ?) file or some other mechanism so that
> we can pump configuration changes in live without having to restart
> processes if something changes (join/unjoin/location changes/...) but it
> a good start.
> 
>> 0002: the kerberos backend. Due to the lach of an asynchronous
>> kerberos
>> implementation this backend fork to make the blocking kerberos calls.
>> The rest is hopefully asynchronous.
> 
> Ok there may be a problem with just forking and not executing a new
> process, in that dbus may then close the parent channels when you exit.
> I am also changing the way auth modules interface, I will take on
> working with this module to adapt it to the new interfaces before
> committing it.
> 

Simo is right. There's a bug in D-BUS (which upstream refuses to fix on
the grounds that "forking without exec() is broken"). So when you call
exit in the forked process, it will close and remove the internal pipe
files for the SBUS connection, wreaking havoc on the rest of the system.
(And yes, that was a pun on the name of the D-BUS creator)

>> 0003: to be able to create the users credential cache with the right
>> access permission, we need to know the uid of the user. This patch
>> adds
>> a uid field to the main pam_data structure (I know that the primary
>> uid
>> is needed too, but it was not clear to me how to handle this in the
>> case
>> where we have MPGs. Simo, maybe you can add the right gid handling?)
> 
> I think we ned to let the sysdb handle this for you, like we do for the
> nss case. We also need to make the pam responder find out more info
> about the user. I will take a closer look later on.
> 
>> 0004: the glibc getpwnam call will not work so I added a
>> sysdb_getpwnam
>> call to get the uid from the cached data (or the LOCAL backend). There
>> is a hack that if the domain is called KRB (domain which the kerberos
>> backend) the user is search in the LOCAL backend, because kerberos is
>> not an identity provider.
> 
> I have already a patch that separates identity and auth modules, I will
> adapt the code before pushing, once my patch is in.
> 
>> 0005: this patch allows the pam client pam_sss to send messages back
>> to
>> the user via pam conversation which originated from the responder or
>> the
>> backends.
> 
> ack, I will push this one this coming week
> 
>> 0006: the kerberos backend cannot implement get_account_info. So far
>> the
>>  data provider backend code does not check if a call is implemented or
>> not. I have seen some delays and segementation faults with nss call
>> when
>> using the kerberos backend, so I implemented a small check to avoid
>> calling a NULL pointer. This may not be necessary anymore if we split
>> the nss get_account_info call (identiy provider) and the pam call
>> (authentication provider). I think I have seen a recent patch by Simo
>> which will do a similar thing so maybe this one can just be dropped.
> 
> Yes I have committed a more generic patch, which is not ideal either, my
> upcoming code that separates identity and auth modules will address the
> problem in a better way.
> 
>> 0007: the patches so far only touch code. This one contains all
>> changes
>> to the autotools file like configure.ac and Makefile.in to find the
>> kerberos libraries, the kerberos plugin path and to compile the new
>> files.
>>
>> Have a nice weekend.
> 
> Thanks Sumit,
> I will work this week to integrate these patches and adapt them to the
> work I am doing on the interfaces. I hope we will be able to soon have
> an ldap backed identity provider perform kerberos pam authentication.
> 
> Simo.
> 

- --
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknZ7ecACgkQeiVVYja6o6OxuQCgmB4I1Qmse1zlGeuMPQcBR1fm
YP8An0AFJSy54HS8xNO4mvK6dHqoayXp
=cDE0
-----END PGP SIGNATURE-----