Learn more about these different git repos.
Other Git URLs
krb5_child shares provider state with identity provider. This has unfortunate effect of not being able to handle authentication against proxy-enabled KDC. Proxy-enabled KDC (using MS-KKDCP) is available all time when network is available but LDAP access is not available until user can establish VPN connection. Establishing VPN connection (to, say, ocserv of OpenConnect project) can use Kerberos tickets obtained via MS-KKDCP proxy that ocserv provides but SSSD fails to obtain the ticket when logging into the workstation.
With the following change the krb5_child succeeds even when ID provider is in offline state:
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 2c5e446..6f9d392 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2656,6 +2656,7 @@ int main(int argc, const char *argv[]) if (ret != EOK) { goto done; } + offline = false; close(STDIN_FILENO);
The patch is courtesy of Sumit Bose, I've tested it against my setup and it worked nicely.
Test packages are available at https://copr.fedoraproject.org/coprs/abbra/sssd-kkdcproxy/
Should this be conditioned on the configuration setting? The change is needed only when you have setup that actually allows communication over the Internet. If the setup is not used the SSSD might be misbehaving thinking that it can reach the KDC while it can't.
Yes, ideally we should base it on the fact that kdc URL in krb5.conf's definition of the realm is something prefixed by https:// or similar.
We have ticket #2652 as well, where we have to read the URL as well. So I guess we can combine those tickets and set a flag in the global krb5 provider context which disables the generation of the kdcinfo files and ignores the global offline state if a KDC proxy is used.
Sounds good to me.
Moving to 1.13.1, this should be fixed relatively soon in downstream.
milestone: NEEDS_TRIAGE => SSSD 1.13.1
Fields changed
cc: => cheimes@fedoraproject.org
owner: somebody => sbose status: new => assigned
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1249015 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1249015 1249015]
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @abbra: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3741
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.