[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

Thu, 26 Nov 2020 05:43:47 -0800 

  URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication

pbrezina commented:
"""
> while testing this PR it looks like `KRB5CCNAME` is not respected. If there 
> user uses a different ccache type as defined in `/etc/krb5.conf` or if with 
> `default_ccache_name = FILE:/tmp/krb5cc_%{uid}_XXXXXX` the ccache name has a 
> random component authentication does not work.

Hmm, nice catch. Unfortunately sudo resets the environment before PAM 
invocation so KRB5CCNAME is not available for the PAM module. It can be made 
available by adding it to env_keep in /etc/sudoers but this will also make it 
available in the called process and this is probably not what we want so we 
will have to patch sudo to keep this variable for PAM. I'll ask sudo upstream 
what are our options.

However, even if the variable is available, gssapi uses the default location:
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 91600000
pam_sss_gss: Trying to establish security context
pam_sss_gss: User domain: ipa.vm, Target name: h...@master.client.vm
pam_sss_gss: Unable to establish GSS context [maj:0xd0000, min:0x96c73a8d]
pam_sss_gss: GSSAPI: Unspecified GSS failure.  Minor code may provide more 
information
pam_sss_gss: GSSAPI: No Kerberos credentials available (default cache: 
FILE:/tmp/krb5cc_91600000_XXXXXX)
pam_sss_gss: Switching euid from 91600000 to 0
pam_sss_gss: KRB5CCNAME=FILE:/tmp/krb5cc_91600000_nSfT3j
pam_sss_gss: System error [5]: Input/output error

@frozencemetery Is there any gssapi call I should call to make it use this 
variable?

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5367#issuecomment-734305838

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to