I don't know why krb5_validate is false by default. I thought it was
historical or to (dubiously) to make setting up easier, but I did some
tests and found, to my surprise, that even with it not set, I could not
log in without an /etc/krb5.keytab file.
In particular, I tried all 6 combinations of krb5_validate {set or not
set} and /etc/krb5.keytab being { empty, valid, valid but for a
different kdc }. I found that I could never log in without some
/etc/krb5.keytab. With a valid (but inconsistent with the actual
responding kerberos server) key, it required the flag be not set in
order to log in (this is the scenario for an attacker). With the correct
/etc/krb5.keytab you could log in regardless of krb5_validate.
So it sounds as if sssd overrides verify_ap_req_nofail to true even if
krb5_validate is false, which is surprising.
So the only breaking case I see of having krb5_validate default on would
be if the system has an /etc/krb5.conf from a different kerberos system,
which seems unlikely.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1777776
Title:
Ubuntu documentation for sssd/kerberos does not authenticate
authentication server
To manage notifications about this bug go to:
https://bugs.launchpad.net/serverguide/+bug/1777776/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
