[Freeipa-devel] [PATCH] sssd: kerberos backend

[Simo Sorce]

On Sat, 2009-04-04 at 23:30 +0200, Sumit Bose wrote:
> Hi,
> 
> the following series of patches introduces a kerberos backend to sssd.
> 
> 0001: a small locator plugin to find the realm name and the kdc. This
> is
>  useful for testing, because you do not have to modify your krb5.conf
> and later on we can hook this plugin to the utility which will do the
> DNS queries and cache the results or future use. So far it check the
> environment variable SSSD_REALM and SSSD_KDC. So please set them
> appropriate before starting sssd. (SSSD_KDC should be an IP address
> and
> not a hostname).

This is very useful, thanks.
We should probably use a (mmaped ?) file or some other mechanism so that
we can pump configuration changes in live without having to restart
processes if something changes (join/unjoin/location changes/...) but it
a good start.

> 0002: the kerberos backend. Due to the lach of an asynchronous
> kerberos
> implementation this backend fork to make the blocking kerberos calls.
> The rest is hopefully asynchronous.

Ok there may be a problem with just forking and not executing a new
process, in that dbus may then close the parent channels when you exit.
I am also changing the way auth modules interface, I will take on
working with this module to adapt it to the new interfaces before
committing it.

> 0003: to be able to create the users credential cache with the right
> access permission, we need to know the uid of the user. This patch
> adds
> a uid field to the main pam_data structure (I know that the primary
> uid
> is needed too, but it was not clear to me how to handle this in the
> case
> where we have MPGs. Simo, maybe you can add the right gid handling?)

I think we ned to let the sysdb handle this for you, like we do for the
nss case. We also need to make the pam responder find out more info
about the user. I will take a closer look later on.

> 0004: the glibc getpwnam call will not work so I added a
> sysdb_getpwnam
> call to get the uid from the cached data (or the LOCAL backend). There
> is a hack that if the domain is called KRB (domain which the kerberos
> backend) the user is search in the LOCAL backend, because kerberos is
> not an identity provider.

I have already a patch that separates identity and auth modules, I will
adapt the code before pushing, once my patch is in.

> 0005: this patch allows the pam client pam_sss to send messages back
> to
> the user via pam conversation which originated from the responder or
> the
> backends.

ack, I will push this one this coming week

> 0006: the kerberos backend cannot implement get_account_info. So far
> the
>  data provider backend code does not check if a call is implemented or
> not. I have seen some delays and segementation faults with nss call
> when
> using the kerberos backend, so I implemented a small check to avoid
> calling a NULL pointer. This may not be necessary anymore if we split
> the nss get_account_info call (identiy provider) and the pam call
> (authentication provider). I think I have seen a recent patch by Simo
> which will do a similar thing so maybe this one can just be dropped.

Yes I have committed a more generic patch, which is not ideal either, my
upcoming code that separates identity and auth modules will address the
problem in a better way.

> 0007: the patches so far only touch code. This one contains all
> changes
> to the autotools file like configure.ac and Makefile.in to find the
> kerberos libraries, the kerberos plugin path and to compile the new
> files.
> 
> Have a nice weekend.

Thanks Sumit,
I will work this week to integrate these patches and adapt them to the
work I am doing on the interfaces. I hope we will be able to soon have
an ldap backed identity provider perform kerberos pam authentication.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York