<html><head><style>
body {
font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
padding:1em;
margin:auto;
background:#fefefe;
}
h1, h2, h3, h4, h5, h6 {
font-weight: bold;
}
h1 {
color: #000000;
font-size: 28pt;
}
h2 {
border-bottom: 1px solid #CCCCCC;
color: #000000;
font-size: 24px;
}
h3 {
font-size: 18px;
}
h4 {
font-size: 16px;
}
h5 {
font-size: 14px;
}
h6 {
color: #777777;
background-color: inherit;
font-size: 14px;
}
hr {
height: 0.2em;
border: 0;
color: #CCCCCC;
background-color: #CCCCCC;
display: inherit;
}
p, blockquote, ul, ol, dl, li, table, pre {
margin: 15px 0;
}
a, a:visited {
color: #4183C4;
background-color: inherit;
text-decoration: none;
}
#message {
border-radius: 6px;
border: 1px solid #ccc;
display:block;
width:100%;
height:60px;
margin:6px 0px;
}
button, #ws {
font-size: 12 pt;
padding: 4px 6px;
border-radius: 5px;
border: 1px solid #bbb;
background-color: #eee;
}
code, pre, #ws, #message {
font-family: Monaco;
font-size: 10pt;
border-radius: 3px;
background-color: #F8F8F8;
color: inherit;
}
code {
border: 1px solid #EAEAEA;
margin: 0 2px;
padding: 0 5px;
}
pre {
border: 1px solid #CCCCCC;
overflow: auto;
padding: 4px 8px;
}
pre > code {
border: 0;
margin: 0;
padding: 0;
}
#ws { background-color: #f8f8f8; }
.bloop_markdown table {
border-collapse: collapse;
font-family: Helvetica, arial, freesans, clean, sans-serif;
color: rgb(51, 51, 51);
font-size: 15px; line-height: 25px;
padding: 0; }
.bloop_markdown table tr {
border-top: 1px solid #cccccc;
background-color: white;
margin: 0;
padding: 0; }
.bloop_markdown table tr:nth-child(2n) {
background-color: #f8f8f8; }
.bloop_markdown table tr th {
font-weight: bold;
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
.bloop_markdown table tr td {
border: 1px solid #cccccc;
margin: 0;
padding: 6px 13px; }
.bloop_markdown table tr th :first-child, table tr td :first-child {
margin-top: 0; }
.bloop_markdown table tr th :last-child, table tr td :last-child {
margin-bottom: 0; }
.bloop_markdown blockquote{
border-left: 4px solid #dddddd;
padding: 0 15px;
color: #777777; }
blockquote > :first-child {
margin-top: 0; }
blockquote > :last-child {
margin-bottom: 0; }
code, pre, #ws, #message {
word-break: normal;
word-wrap: normal;
}
hr {
display: inherit;
}
.bloop_markdown :first-child {
-webkit-margin-before: 0;
}
code, pre, #ws, #message {
font-family: Menlo, Consolas, Liberation Mono, Courier, monospace;
}
.send { color:#77bb77; }
.server { color:#7799bb; }
.error { color:#AA0000; }</style></head><body style="word-wrap:break-word"><div class="bloop_markdown"><p>Oh wow, I see. I did some playing around with /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a minimum-change scenario and found that this:</p>
<pre><code>[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
# enable_only = sssd
}
</code></pre>
<p>seems to get me where I need to be. Adding that one character seems to be enough to make .k5login work as expected.</p>
<p>Specifically:</p>
<p>Take a brand new IPA client, created with “ipa-client-install” and accepting the defaults.</p>
<p>Edit /var/lib/sss/pubconf/krb5.include.d/localauth_plugin to comment out the enable_only line as above.</p>
<pre><code>cat <<'EOF' > /root/.k5login
<a href="mailto:yourusername@YOURDOMAIN.COM">yourusername@YOURDOMAIN.COM</a>
EOF
</code></pre>
<p>From another computer anywhere in the domain:</p>
<pre><code>kinit <a href="mailto:yourusername@YOURDOMAIN.COM">yourusername@YOURDOMAIN.COM</a>
</code></pre>
<p>Then:</p>
<pre><code>ssh -K root@wherever
</code></pre>
<p>This works for me. I’ve got all my servers under Salt config management anyway, so it’s not <em>that</em> big a deal to add that one byte to each of them.</p>
<p>Thank you very, very much for the help.</p>
<p></p></div><div class="bloop_original_html"><style>body{font-family:Helvetica,Arial;font-size:13px}</style><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div> <br> <div id="bloop_sign_1467838448844001024" class="bloop_sign"></div> <br><p class="airmail_on">On July 6, 2016 at 1:00:53 PM, Sumit Bose (<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
<br>> I must be missing something really obvious.
<br>>
<br>> Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
<br>> install ipa-server” and then an “ipa-server-install.” DNS is set up
<br>> correctly and is working.
<br>>
<br>> I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum
<br>> install ipa-client”, “ipa-client-install.” Auto-detection of the realm,
<br>> domain and server were normal.
<br>>
<br>> But k5login is not working as expected. If I have this .k5login file in the
<br>> admin user’s home directory on server A:
<br>>
<br>> alice@CHARLIETANGO.COMbob@<a href="http://CHARLIETANGO.COM">CHARLIETANGO.COM</a>
<br>>
<br>> I would expect to be able to do this:
<br>>
<br>> kinit <a href="mailto:alice@CHARLIETANGO.COM">alice@CHARLIETANGO.COM</a>
<br>> ssh -K admin@serverA
<br>>
<br>> from anywhere in the Kerberos realm. Instead my credentials get rejected
<br>> and I’m asked for the admin user’s password.
<br>>
<br>> It feels like sshd on the server isn’t even looking at k5login. (I also
<br>> tried k5users; same result.)
<br>>
<br>> The permissions on .k5login are correct. I tried it with SELinux off as
<br>> well just in case that was it.
<br>>
<br>> What blindingly obvious thing have I overlooked?
<br>
<br>I guess you have an issue similar to
<br><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1297462">https://bugzilla.redhat.com/show_bug.cgi?id=1297462</a> . The localauth
<br>plugin provided by SSSD has too stricts default settings. One is the
<br>'enable_only = sssd' option in the config snippet. The other is that it
<br>acts authoritative for SSSD users. A fix for both was just pushed
<br>upstream today.
<br>
<br>If you currently do not need the localauth plugin you can disable it by
<br>creating an empty /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
<br>file and make it unmodifiable with
<br>
<br> chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
<br>
<br>This should allow the default methods including k5login again. Please
<br>note that you might need to add the old RULE based mapping as described
<br>in
<br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html</a>
<br>or add .k5login files for every user to make GSSAPI authentication work
<br>smoothly.
<br>
<br>As an alternative we hope to release the next SSSD version including the
<br>patches anytime soon and later on there might be build for 7.2
<br>available.
<br>
<br>HTH
<br>
<br>bye,
<br>Sumit
<br>
<br>>
<br>> Thanks.
<br>
<br>> --
<br>> Manage your subscription for the Freeipa-users mailing list:
<br>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>> Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project
<br>
<br></div></div></span></blockquote></div><div class="bloop_markdown"><p></p></div></body></html>