[Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

Tue Dec 8 19:25:13 UTC 2015

On Tue, Dec 08, 2015 at 02:30:54PM +0100, Stefano Cortese wrote:
>    Jakub Hrozek wrote:
> 
>  On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote:
> 
> 
>  So the questions are:
>  - is there another cleaner way to exclude the localauth sssd plugin
>  (considering that the configuration snippet is recreated at every sssd
>  restart)?
> 
> 
>  Can you test if this hack would help:
>     # service sssd stop
>     # rm /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>     # touch /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>     # chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
>     # service sssd start
> 
> 
>  It works, thanks
> 
> 
> 
>  btw also check out this ticket:
>     [1]https://fedorahosted.org/sssd/ticket/2788
> 
> 
>  not needing principal switching from/to root for the moment
> 
> 
>  Yes, sorry, wrong ticket:
>      [2]https://fedorahosted.org/sssd/ticket/2707
> 
> 
> 
> 
> 
>  Maybe I wasn't clear in describing the setup.
> 
>  I am attempting to log from a local machine as "userA"  using the
>  credentials of a "service principal" defined in IPA to a remote machine as
>  "userB"
>  The userB principal is resolvable on the remote host via "getent passwd
>  userB" because it is a user principal.
>  Also the userA principal is resolvable on the local machine, but this should
>  not play a role because the user's credentials are not used for the
>  connection, only the service credentials, as a client.
>  The service principal is not resolvable via "getent passwd" neither on the
>  originating host nor on the destination host.
>  The trick with .k5login is that the service principal used in the connection
>  is granted access as userB because it is listed as one of the principals
>  that correspond to the userB posix account on the remote host.
> 
> 
>  Thank you, then I think #2707 would help you because you could configure
>  that .k5login is still used.
> 
> 
> 
>    Hi Jakub,
>    yes maybe it could help, even if I didn't find many details (bugzilla says
>    I am not authorized to access the RedHat Bug 1240302  with  my bugzilla 
>    account,  I  have tried also with our RedHat support licensed account) .

Try now, there is nothing confidential in the bug, so I opened it. (I'm
afraid there's nothing useful either, but the BZ might be useful in
referencing for support..)

>    It seems having been filed for sssd 1.14 and RHEL7 , is there any hope
>    that it will be implemented also for 6.7 or 6.8 ?  we can't upgrade to 7
>    for the IPA clients.
>    Bye
>    Stefano

I can't promise anything because the scope of the changes is not totally
clear, but can you please open a support case asking for the change in
RHEL-6? Feel free to send me the case number, then. It might also be
helpful to include why the workaround is not helpful/not feasible to you,
because RHEL-6 already getting quite late in the cycle, so all changes
should be justified..