#3657 Add man page for sssd_krb5_localauth_plugin

Created 4 months ago by gerases
Modified a month ago


I can't find any docs on the sssd_krb5_localauth plugin. I inherited an environment where it's used and I'm wondering what it actually does :)

Can someone please tell me in a few words? Or point me to the documentation on it?


Thanks for the info!

@jhrozek, is the =E2=80=9Clocator=E2=80=9D plugin the same as =
=E2=80=9Clocalauth=E2=80=9D plugin?

The way I understand =
.html =
https://docs.pagure.org/SSSD.sssd/design_pages/nss_with_kerberos_principa= l.html, is that even if I disable the plugin, basic Principal-to-POSIX =
conversions will still be done correctly. Thus, if I only have one realm =
and KDC configured in krb5.conf, I don=E2=80=99t really need the plugin?

I didn=E2=80=99t quite understand the part about testing the plugin. =
This sentence confused me:

To make sure that a getent passwd user@domain.name search for the =
Kerberos principal user@domain.name and not for a fully qualified name =
the domain name in sssd.conf should differ from the realm name in the =


On Mar 5, 2018, at 2:57 PM, Alexander Bokovoy pagure@pagure.io =
abbra added a new comment to an issue you are following:
You can read design pages here: = https://docs.pagure.org/SSSD.sssd/design_pages/nss_with_kerberos_principal= .html =20
To reply, visit the link below or just reply to this email

@gerases locator plugin and localauth plugin are two different plugin types for MIT Kerberos library. You can read about those in MIT Kerberos documentation.

localauth plugin documentation: https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html and https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#localauth-interface. In addition, read about 'auth_to_local' rules in https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#realms. SSSD localauth plugin allows you to avoid specifying multitude of auth_to_local rules in krb5.conf on all SSSD clients.

locator plugin is https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html and is used to short-circuit searches for KDCs. This is important in a complex environment where one would need to stick to a specific DC and SSSD promotes this information to Kerberos library.

@gerases, I'm sorry I forgot to add a man page for sssd_krb5_localauth. I will use this ticket as a reminder to add one.

You are right that this plugin can disable the plugin in "simple" environments. Typically if you have a single realm and short user names you do not need it. Because by default libkrb5 will use the user principal, strip the realm (i.e. the '@' and what comes after it) and use the remainder as local user name.

The plugin was added to handle complex cases with trusted domains where fully-qualified user names must be used to avoid name collisions.



@sbose note that even for "simple" environments use of fully-qualified user names is required for NFSv4: https://pagure.io/SSSD/sssd/issue/3535

@gerases btw I'm sorry I confused you with sending a link to the wrong documentation. You're right, the plugins are different.

Ok, the mystery is bit more clear now. What prompted my questions was that I found some puppet code in my environment that was doing chattr +i on the /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file. There were no useful comments in that commit (sigh)

Further, the setting of the flag was done only for versions of sssd below 1.14. That's what prompted me to post a message in an effort to understand the purpose of that plugin.

After doing some research last night, I came across this thread: https://www.redhat.com/archives/freeipa-users/2015-December/msg00064.html describing the issue and the solution with chattr +i.

So I think I'm good now that I know the history behind the problem.

Edited 4 months ago by gerases

Is it OK to close the issue now?

This can be closed. Thank you.

Please keep it open. I changed the title to indicate that this ticket tracks the missing man page for the plugin.

4 months ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.

a month ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)

Login to comment on this ticket.