[Freeipa-devel] [PATCH] sssd: kerberos backend
Sumit Bose
sbose at redhat.com
Sat Apr 4 21:30:56 UTC 2009
Hi,
the following series of patches introduces a kerberos backend to sssd.
0001: a small locator plugin to find the realm name and the kdc. This is
useful for testing, because you do not have to modify your krb5.conf
and later on we can hook this plugin to the utility which will do the
DNS queries and cache the results or future use. So far it check the
environment variable SSSD_REALM and SSSD_KDC. So please set them
appropriate before starting sssd. (SSSD_KDC should be an IP address and
not a hostname).
0002: the kerberos backend. Due to the lach of an asynchronous kerberos
implementation this backend fork to make the blocking kerberos calls.
The rest is hopefully asynchronous.
0003: to be able to create the users credential cache with the right
access permission, we need to know the uid of the user. This patch adds
a uid field to the main pam_data structure (I know that the primary uid
is needed too, but it was not clear to me how to handle this in the case
where we have MPGs. Simo, maybe you can add the right gid handling?)
0004: the glibc getpwnam call will not work so I added a sysdb_getpwnam
call to get the uid from the cached data (or the LOCAL backend). There
is a hack that if the domain is called KRB (domain which the kerberos
backend) the user is search in the LOCAL backend, because kerberos is
not an identity provider.
0005: this patch allows the pam client pam_sss to send messages back to
the user via pam conversation which originated from the responder or the
backends.
0006: the kerberos backend cannot implement get_account_info. So far the
data provider backend code does not check if a call is implemented or
not. I have seen some delays and segementation faults with nss call when
using the kerberos backend, so I implemented a small check to avoid
calling a NULL pointer. This may not be necessary anymore if we split
the nss get_account_info call (identiy provider) and the pam call
(authentication provider). I think I have seen a recent patch by Simo
which will do a similar thing so maybe this one can just be dropped.
0007: the patches so far only touch code. This one contains all changes
to the autotools file like configure.ac and Makefile.in to find the
kerberos libraries, the kerberos plugin path and to compile the new files.
Have a nice weekend.
bye,
Sumit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-kerberos-locator-plugin-to-find-realm-and-kdc.patch
Type: text/x-patch
Size: 3881 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-kerberos-backend.patch
Type: text/x-patch
Size: 14137 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-add-pw_uid-to-struct-pam_data.patch
Type: text/x-patch
Size: 2097 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-added-sysdb_getpwnam-to-pam-responder-to-get-pw_uid.patch
Type: text/x-patch
Size: 3634 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-added-show_message-to-display-pam-info-messages-to-t.patch
Type: text/x-patch
Size: 2723 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-check-if-the-backend-implements-get_account_info.patch
Type: text/x-patch
Size: 967 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-updates-to-autotool-files-to-build-kerberos-backend.patch
Type: text/x-patch
Size: 8642 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090404/2aaf8b93/attachment-0006.bin>
More information about the Freeipa-devel
mailing list