Learn more about these different git repos.
Other Git URLs
Due to a missing condition for a root user in SSSD's implementation of localauth plugin for MIT Kerberos, users whose Kerberos principals are specified in /root/.k5login cannot login with GSSAPI to root account over ssh.
SSH server will call krb5_kuserok() after successful authentication to transform the authenticated principals' name to local user name and check whether it is allowed to login. SSSD implements localauth plugin that provides a userok() implementation but it does not take root user case into account. It needs to return KRB5_PLUGIN_NO_HANDLE error code for this case so that a default check in ~/.k5login would continue.
An ltrace excerpt for sshd login to root with GSSAPI looks like this:
26481 krb5_init_context(0x55a3e3e914f0, 0x55a3e4a74460, 1, 0x7fd12cecc620) = 0 26481 krb5_parse_name(0x55a3e4a8f840, 0x55a3e4a95e20, 0x7ffce9d89fc0, 0) = 0 26481 __snprintf_chk(0x7ffce9d88fa0, 4096, 1, 4096) = 14 26481 access("/root/.k5login", 0) = 0 26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1) = 0 26481 __snprintf_chk(0x7ffce9d86f70, 4096, 1, 4096) = 14 26481 krb5_kuserok(0x55a3e4a8f840, 0x55a3e4a937a0, 0x55a3e4a74460, 1) = 0 26481 krb5_free_principal(0x55a3e4a8f840, 0x55a3e4a937a0, 0, 0) = 0 26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91480, 0, 0) = 0 26481 gss_release_buffer(0x7ffce9d8a004, 0x55a3e3e91490, 0, 0x7fd12d193b28) = 0 26481 gss_release_cred(0x7ffce9d8a004, 0x55a3e3e914a0, 0, 0x7fd12d193b28) = 0
Notice krb5_kuserok() returning 0 (FALSE), e.g. principal is not accepted while I have in my /root/.k5login following:
[root@m1 ~]# cat .k5login admin@EXAMPLE.COM
Notice also that /root/.k5login is never read which means localauth plugin k5login is not called.
This is related to ticket #2707
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.14 beta
rhbz: => todo
owner: somebody => lslebodn patch: 0 => 1 status: new => assigned
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1297462 (Red Hat Enterprise Linux 7)
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462]
Since there is a patch available, moving to 1.14 alpha.
milestone: SSSD 1.14 beta => SSSD 1.14 alpha
The patches are on review, but I would like to release 1.14 alpha today, therefore moving to 1.14.0
milestone: SSSD 1.14 alpha => SSSD 1.14.0
The original patch was nacked on the devel list, moving to triage to decide what to do with this ticket.
milestone: SSSD 1.14.0 => NEEDS_TRIAGE
We already did some improvements to the localauth plugin logic, this ticket is an incremental improvement.
milestone: NEEDS_TRIAGE => SSSD 1.16 beta
milestone: SSSD 1.16 beta => SSSD 1.14.0
resolution: => fixed status: assigned => closed
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1240302 (Red Hat Enterprise Linux 7)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462] => [https://bugzilla.redhat.com/show_bug.cgi?id=1297462 1297462], [https://bugzilla.redhat.com/show_bug.cgi?id=1240302 1240302]
Metadata Update from @abbra: - Issue assigned to lslebodn - Issue set to the milestone: SSSD 1.14.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3829
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.