Public bug reported: Please enable the sssd-secrets service. This needs the MIR for http- parser (#1638957) to pass.
[Rationale] >From the MIR bug (#1638957): The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry. The secrets service can be used as a generic key/value database for secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option to store the credentials in a cache that persists reboots, as opposed to when it's stored in the kernel keyring or in /tmp, when that is a tmpfs. sssd-secrets can also use a remote Custodia [https://github.com/simo5/custodia] (in Universe) server to store its secrets there. sssd-secrets is unix socket activated and won't be running until there is a connection to that socket. [Testing] This is the testing that was done. Only the local store was tested, not the Custodia remote server case. During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315). Quick simple test ================= sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 sudo apt install sssd # Store a secret $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo <html> <head> <title>200 OK</title></head> <body> <h1>OK</h1> <p>Success</p> </body> # retrieve the secret $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo { "type": "simple", "value": "foosecret" } # try to retrieve the same secret but as a different user won't work because secrets are per user $ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo <html> <head> <title>404 Not Found</title></head> <body> <h1>Not Found</h1> <p>The requested resource was not found.</p> </body> Extended test ============= This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager). sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 sudo apt install sssd sssd-kcm # use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted sudo apt install krb5-user krb5-kdc krb5-admin-server # the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want sudo krb5_newrealm # create a kerberos principal. This uses "secret" as a password sudo kadmin.local -q "addprinc -pw secret ubuntu" # edit /etc/krb5.conf and tell the library to use KCM by default [libdefaults] default_ccache_name = KCM: # <-- add this line # create /etc/sssd/sssd.conf with these contents: [sssd] config_file_version = 2 services = pam domains = example.com [pam] [domain/example.com] id_provider = proxy proxy_lib_name = files auth_provider = krb5 krb5_server = localhost krb5_realm = EXAMPLE.COM # adjust permissions sudo chmod 0600 /etc/sssd/sssd.conf sudo chown root:root /etc/sssd/sssd.conf # (re)start sssd sudo systemctl restart sssd # test getting a ticket for "ubuntu". Notice how the cache is using "KCM": ubuntu@bionic-sssd-http-parser:~$ kinit Password for ubu...@example.com: ubuntu@bionic-sssd-http-parser:~$ klist Ticket cache: KCM:1000 Default principal: ubu...@example.com Valid starting Expires Service principal 03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/example....@example.com renew until 03/09/18 13:09:10 # install ldb-tools sudo apt install ldb-tools # perform a search on the secrets database to see the entry created by kcm $ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn # record 1 dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm # record 2 dn: cn=ccache,cn=1000,cn=persistent,cn=kcm # returned 2 records # 2 entries # 0 referrals # destroy the kerberos ticket and confirm it's gone from the secrets database ubuntu@bionic-sssd-http-parser:~$ kdestroy ubuntu@bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn # returned 0 records # 0 entries # 0 referrals ** Affects: sssd (Ubuntu) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/sssd/+git/sssd/+merge/341122 ** Description changed: Please enable the sssd-secrets service. This needs the MIR for http- parser (#1638957) to pass. + + [Testing] + This is the testing that was done. + During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315). + + Quick simple test + ================= + sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 + sudo apt install sssd + + # Store a secret + $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo + <html> + <head> + <title>200 OK</title></head> + <body> + <h1>OK</h1> + <p>Success</p> + </body> + + # retrieve the secret + $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo + { + "type": "simple", + "value": "foosecret" + } + + # try to retrieve the same secret but as a different user won't work because secrets are per user + $ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo + <html> + <head> + <title>404 Not Found</title></head> + <body> + <h1>Not Found</h1> + <p>The requested resource was not found.</p> + </body> + + Extended test + ============= + This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager). + + sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957 + sudo apt install sssd sssd-kcm + + # use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted + sudo apt install krb5-user krb5-kdc krb5-admin-server + + # the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want + sudo krb5_newrealm + + # create a kerberos principal. This uses "secret" as a password + sudo kadmin.local -q "addprinc -pw secret ubuntu" + + # edit /etc/krb5.conf and tell the library to use KCM by default + [libdefaults] + default_ccache_name = KCM: # <-- add this line + + # create /etc/sssd/sssd.conf with these contents: + [sssd] + config_file_version = 2 + services = pam + domains = example.com + + [pam] + + [domain/example.com] + id_provider = proxy + proxy_lib_name = files + auth_provider = krb5 + krb5_server = localhost + krb5_realm = EXAMPLE.COM + + # adjust permissions + sudo chmod 0600 /etc/sssd/sssd.conf + sudo chown root:root /etc/sssd/sssd.conf + + # (re)start sssd + sudo systemctl restart sssd + + # test getting a ticket for "ubuntu". Notice how the cache is using "KCM": + ubuntu@bionic-sssd-http-parser:~$ kinit + Password for ubu...@example.com: + + ubuntu@bionic-sssd-http-parser:~$ klist + Ticket cache: KCM:1000 + Default principal: ubu...@example.com + + Valid starting Expires Service principal + 03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/example....@example.com + renew until 03/09/18 13:09:10 + + # install ldb-tools + sudo apt install ldb-tools + + # perform a search on the secrets database to see the entry created by kcm + $ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn + # record 1 + dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm + + # record 2 + dn: cn=ccache,cn=1000,cn=persistent,cn=kcm + + # returned 2 records + # 2 entries + # 0 referrals + + # destroy the kerberos ticket and confirm it's gone from the secrets database + ubuntu@bionic-sssd-http-parser:~$ kdestroy + ubuntu@bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn + # returned 0 records + # 0 entries + # 0 referrals -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1754365 Title: [FFe]: Enable sssd-secrets service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1754365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
