[Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7
Jakub Hrozek
jhrozek at redhat.com
Tue Dec 8 19:25:13 UTC 2015
On Tue, Dec 08, 2015 at 02:30:54PM +0100, Stefano Cortese wrote:
> Jakub Hrozek wrote:
>
> On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote:
>
>
> So the questions are:
> - is there another cleaner way to exclude the localauth sssd plugin
> (considering that the configuration snippet is recreated at every sssd
> restart)?
>
>
> Can you test if this hack would help:
> # service sssd stop
> # rm /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> # touch /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> # chattr +i /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> # service sssd start
>
>
> It works, thanks
>
>
>
> btw also check out this ticket:
> [1]https://fedorahosted.org/sssd/ticket/2788
>
>
> not needing principal switching from/to root for the moment
>
>
> Yes, sorry, wrong ticket:
> [2]https://fedorahosted.org/sssd/ticket/2707
>
>
>
>
>
> Maybe I wasn't clear in describing the setup.
>
> I am attempting to log from a local machine as "userA" using the
> credentials of a "service principal" defined in IPA to a remote machine as
> "userB"
> The userB principal is resolvable on the remote host via "getent passwd
> userB" because it is a user principal.
> Also the userA principal is resolvable on the local machine, but this should
> not play a role because the user's credentials are not used for the
> connection, only the service credentials, as a client.
> The service principal is not resolvable via "getent passwd" neither on the
> originating host nor on the destination host.
> The trick with .k5login is that the service principal used in the connection
> is granted access as userB because it is listed as one of the principals
> that correspond to the userB posix account on the remote host.
>
>
> Thank you, then I think #2707 would help you because you could configure
> that .k5login is still used.
>
>
>
> Hi Jakub,
> yes maybe it could help, even if I didn't find many details (bugzilla says
> I am not authorized to access the RedHat Bug 1240302 with my bugzilla
> account, I have tried also with our RedHat support licensed account) .
Try now, there is nothing confidential in the bug, so I opened it. (I'm
afraid there's nothing useful either, but the BZ might be useful in
referencing for support..)
> It seems having been filed for sssd 1.14 and RHEL7 , is there any hope
> that it will be implemented also for 6.7 or 6.8 ? we can't upgrade to 7
> for the IPA clients.
> Bye
> Stefano
I can't promise anything because the scope of the changes is not totally
clear, but can you please open a support case asking for the change in
RHEL-6? Feel free to send me the case number, then. It might also be
helpful to include why the workaround is not helpful/not feasible to you,
because RHEL-6 already getting quite late in the cycle, so all changes
should be justified..
More information about the Freeipa-users
mailing list