#970 LDAP+GSSAPI needs explicit Kerberos realm
Closed: Fixed None Opened 7 years ago by jhrozek.

The sssd-ldap manual page says:

krb5_realm (string)
           Specify the Kerberos REALM (for SASL/GSSAPI auth).

           Default: System defaults, see /etc/krb5.conf

That's not true since we added the online/offline callbacks to create and delete kdcinfo files. They require the realm to be specified to construct the pathname of the kdcinfo files.

We have two options:
1. Fix the manual page to say the realm is required
2. Fix the code so it's in sync with the manual page and get the default realm from krb5.conf using krb5_get_default_realm()

Please note that the Kerberos auth provider requires the realm to be specified. This might be confusing to users and is already being tracked by ticket #570.


I vote for fixing the code to fetch the realm from the krb5 profile if this attribute is not set and the value is used.
Users must set stuff right in /etc/krb5.conf anyway in general, so it make sense to allow them to let sssd pick up values from there.

I agree, we should try a sequence of fallbacks in the krb5 provider if krb5_realm is not given, like checking krb5_get_default_realm() and if this fails we can try with the uppercase name of the sssd domain as we do int the ipa provider.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.13

Fields changed

owner: somebody => jhrozek

Fields changed

patch: 0 => 1
status: new => assigned

Fixed by:
- 7452c32 (master)
- c3423f9 (sssd-1-6)
- 575096c (sssd-1-5)

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.13

2 years ago

Login to comment on this ticket.

Metadata