#3657 Add man page for sssd_krb5_localauth_plugin
Closed: cloned-to-github 2 years ago by pbrezina. Opened 4 years ago by gerases.


I can't find any docs on the sssd_krb5_localauth plugin. I inherited an environment where it's used and I'm wondering what it actually does :)

Can someone please tell me in a few words? Or point me to the documentation on it?


Thanks for the info!

@jhrozek, is the =E2=80=9Clocator=E2=80=9D plugin the same as =
=E2=80=9Clocalauth=E2=80=9D plugin?

The way I understand =
.html =
https://docs.pagure.org/SSSD.sssd/design_pages/nss_with_kerberos_principa= l.html, is that even if I disable the plugin, basic Principal-to-POSIX =
conversions will still be done correctly. Thus, if I only have one realm =
and KDC configured in krb5.conf, I don=E2=80=99t really need the plugin?

I didn=E2=80=99t quite understand the part about testing the plugin. =
This sentence confused me:

To make sure that a getent passwd user@domain.name search for the =
Kerberos principal user@domain.name and not for a fully qualified name =
the domain name in sssd.conf should differ from the realm name in the =


On Mar 5, 2018, at 2:57 PM, Alexander Bokovoy pagure@pagure.io =
abbra added a new comment to an issue you are following:
You can read design pages here: = https://docs.pagure.org/SSSD.sssd/design_pages/nss_with_kerberos_principal= .html =20
To reply, visit the link below or just reply to this email

@gerases locator plugin and localauth plugin are two different plugin types for MIT Kerberos library. You can read about those in MIT Kerberos documentation.

localauth plugin documentation: https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html and https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#localauth-interface. In addition, read about 'auth_to_local' rules in https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#realms. SSSD localauth plugin allows you to avoid specifying multitude of auth_to_local rules in krb5.conf on all SSSD clients.

locator plugin is https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html and is used to short-circuit searches for KDCs. This is important in a complex environment where one would need to stick to a specific DC and SSSD promotes this information to Kerberos library.

@gerases, I'm sorry I forgot to add a man page for sssd_krb5_localauth. I will use this ticket as a reminder to add one.

You are right that this plugin can disable the plugin in "simple" environments. Typically if you have a single realm and short user names you do not need it. Because by default libkrb5 will use the user principal, strip the realm (i.e. the '@' and what comes after it) and use the remainder as local user name.

The plugin was added to handle complex cases with trusted domains where fully-qualified user names must be used to avoid name collisions.



@sbose note that even for "simple" environments use of fully-qualified user names is required for NFSv4: https://pagure.io/SSSD/sssd/issue/3535

@gerases btw I'm sorry I confused you with sending a link to the wrong documentation. You're right, the plugins are different.

Ok, the mystery is bit more clear now. What prompted my questions was that I found some puppet code in my environment that was doing chattr +i on the /var/lib/sss/pubconf/krb5.include.d/localauth_plugin file. There were no useful comments in that commit (sigh)

Further, the setting of the flag was done only for versions of sssd below 1.14. That's what prompted me to post a message in an effort to understand the purpose of that plugin.

After doing some research last night, I came across this thread: https://www.redhat.com/archives/freeipa-users/2015-December/msg00064.html describing the issue and the solution with chattr +i.

So I think I'm good now that I know the history behind the problem.

Is it OK to close the issue now?

This can be closed. Thank you.

Please keep it open. I changed the title to indicate that this ticket tracks the missing man page for the plugin.

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

4 years ago

Since we are near the 1.16.2 release and this ticket has no PR yet, it will slip into 1.16.3.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 1.16.2)

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.4 (was: SSSD 1.16.3)

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2 (was: SSSD 1.16.4)

3 years ago

Metadata Update from @jhrozek:
- Issue tagged with: docs

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

2 years ago

Metadata Update from @thalman:
- Issue tagged with: Next milestone

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4677

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.