Learn more about these different git repos.
Other Git URLs
Currently, SSSD does retrieve PAC information for any authentication that was initiated using GSSAPI. However, for the situation when another application did perform the authentication using non-GSSAPI method and SSSD does perform authorization in PAM stack, an information about this fact is not passed to the central authentication authority. This makes harder to account user logons for the policies like 'Remove stale accounts which did not login X days'.
If SSSD receives PAM stack request in session stage and it didn't perform actual authentication for this request, it could do S4U2Self request to acquire a ticket to itself (host/...) on behalf of the user authenticated by the application. This would allow cases like SSH public key authentication to be visible to KDC (FreeIPA KDC, for example) and appear in audit trail.
Shouldn't s4u2self be done in access stage ?
I was thinking about session (in terms of PAM stages) because this is the stage where audit is done. pam_acct_mgmt is at 'account' stage -- there is no access stage, per se.
pam_acct_mgmt
pam_acct_mgmt is the stage where access control is happening and all PAM enabled services should call it because otherwise no access control will happen at all.
Btw, a cron job of a user will call pam_acct_mgmt() and pam_session(), so you just have to start a cron job and your account will never expire.
pam_acct_mgmt()
pam_session()
Metadata Update from @sbose: - Issue assigned to sbose
Metadata Update from @thalman: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1763180
Issue linked to Bugzilla: Bug 1763180
Metadata Update from @thalman: - Issue tagged with: bugzilla
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5043
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @pbrezina: - Issue close_status updated to: cloned-to-github - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.