[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Confirmed the issue on jammy, and the fix, by joining a machine to a windows AD domain, and attempting to login via ssh GSSAPIAuthentication as a domain user. It only works if I either put the principal name in ~/.k5login, or include the sssd localauth plugin via the include files as discussed in this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
> Without this passwordless login using GSSAPI via SSH is not possible to a Ubuntu 22.04 machine. This is not entirely true. We have tests that attempt this login and they pass just fine. There is some other detail that is missing. I'll read up in more detail on what the sssd_krb5_localauth_plugin.so plugin does. The upstream bug also had in one of the comments confirmation that a ~/.k5login file with the name of the principal would allow login to work, which tells me some sort of mapping between the username of the ssh command (which can have @DOMAIN components) and the local username is missing, and that plugin might be responsible for it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
There are two components here: a) sssd to ship /etc/krb5.conf.d/enable_sssd_conf_dir This was done in 2.7.0-1, and is present in ubuntu mantic and later b) krb5.conf to includedir /etc/krb5.conf.d This should be done in src:kerberos-configs, and is not done yet anywhere ** Also affects: sssd (Ubuntu) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: kerberos-configs (Ubuntu Oracular) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Also affects: sssd (Ubuntu Oracular) Importance: Undecided Status: New ** Changed in: sssd (Ubuntu Oracular) Status: New => Fix Released ** Changed in: sssd (Ubuntu Noble) Status: New => Fix Released ** Changed in: sssd (Ubuntu Mantic) Status: New => Fix Released ** Changed in: sssd (Ubuntu Jammy) Status: New => In Progress ** Changed in: sssd (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
** Changed in: kerberos-configs (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: kerberos-configs (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
I discussed this with the team; ahasenack suggests that we should add that include line to src:kerberos-configs, which is the package that provides krb5.conf. ** Package changed: sssd (Ubuntu) => kerberos-configs (Ubuntu) ** Changed in: kerberos-configs (Ubuntu) Status: New => Triaged ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037321] Re: missing includedir snippet in krb5.conf causes GSSAPI to fail
Can confirm too. It was hard to find the solution, so I hope this will avoid people banging head on the table. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037321 Title: missing includedir snippet in krb5.conf causes GSSAPI to fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2037321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
