[Freeipa-users] Re: smartcard auth + kerberos ticket?

Thu, 15 Nov 2018 13:15:52 -0800 

On Thu, Nov 15, 2018 at 06:06:01PM +0100, Sumit Bose via FreeIPA-users wrote:
> On Thu, Nov 15, 2018 at 04:17:20PM +0100, Natxo Asenjo via FreeIPA-users 
> wrote:
> > hi,
> > 
> > for posterity's sake, this appears to be a problem with kcm (whatever that
> > is, don't know yet, will look it up later).
> > 
> > I turned it off in /etc/krb5.conf.d/kcm_default_ccache (just comment the
> > two not comment lines) and after restart sssd or rebooting, with selinux
> > enabled, it works.
> 
> ah, sorry, I should have thought of this earlier. This is most probably
> https://pagure.io/SSSD/sssd/issue/3376.

Thank you for digging into this.

While the root access itself is easy to fix, there would be another
problem. MIT, unlike Heimdal doesn't allow you to refer to a collection
with KCM:%{uid}. You can either use KCM: and then libkrb5 should do the
right thing and either create a new subsidiary cache for this principal
or switch to an existing one. Alternatively you can point to a residual
cache with KCM:%{uid}:xyz

I thought this was a bug in MIT, but upstream disagreed.

> 
> SSSD'd krb5_child runs as root with the IPA provider, e.g. to be
> able to read the keytab for the Kerberos ticket validation. Due to the
> issue from above it cannot save the TGT for the user.

looking at the code it's not running as root in general, but only in the
SC case:

3323     /* pkinit needs access to pcscd */
3324     if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN  
          
3325             && sss_authtok_get_type(kr->pd->authtok)
3326                                         != SSS_AUTHTOK_TYPE_SC_KEYPAD)) {  
          
3327         kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain);        
          
3328         if (kerr != 0) {                                                   
          
3329             DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");           
          
3330             ret = EFAULT;
3331             goto done; 
3332         }   
3333     }

I hope we would have heard someone complaining quite sooner if no IPA
logins were possible with KCM :)
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to