#2700 krb5_child should always consider online state to allow use of MS-KKDC proxy
Closed: Fixed None Opened 3 years ago by abbra.

krb5_child shares provider state with identity provider. This has unfortunate effect of not being able to handle authentication against proxy-enabled KDC. Proxy-enabled KDC (using MS-KKDCP) is available all time when network is available but LDAP access is not available until user can establish VPN connection. Establishing VPN connection (to, say, ocserv of OpenConnect project) can use Kerberos tickets obtained via MS-KKDCP proxy that ocserv provides but SSSD fails to obtain the ticket when logging into the workstation.

With the following change the krb5_child succeeds even when ID provider is in offline state:

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 2c5e446..6f9d392 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2656,6 +2656,7 @@ int main(int argc, const char *argv[])
     if (ret != EOK) {
         goto done;
     }
+    offline = false;

     close(STDIN_FILENO);

The patch is courtesy of Sumit Bose, I've tested it against my setup and it worked nicely.


Should this be conditioned on the configuration setting? The change is needed only when you have setup that actually allows communication over the Internet. If the setup is not used the SSSD might be misbehaving thinking that it can reach the KDC while it can't.

Yes, ideally we should base it on the fact that kdc URL in krb5.conf's definition of the realm is something prefixed by https:// or similar.

We have ticket #2652 as well, where we have to read the URL as well. So I guess we can combine those tickets and set a flag in the global krb5 provider context which disables the generation of the kdcinfo files and ignores the global offline state if a KDC proxy is used.

Moving to 1.13.1, this should be fixed relatively soon in downstream.

milestone: NEEDS_TRIAGE => SSSD 1.13.1

Fields changed

cc: => cheimes@fedoraproject.org

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @abbra:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

2 years ago

Login to comment on this ticket.

Metadata