Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFE] SSSD, Group accounts, Kerberos, and prompt_principal #5292

Closed
thalman opened this issue Aug 25, 2020 · 2 comments
Closed

[RFE] SSSD, Group accounts, Kerberos, and prompt_principal #5292

thalman opened this issue Aug 25, 2020 · 2 comments

Comments

@thalman
Copy link
Contributor

thalman commented Aug 25, 2020

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1623624

Created attachment 1479559
Video demonstrating login process

Description of problem:
I'm looking for a way to emulate the existing group account login system we are
using within SSSD.

I believe this is an RFE as the features do not exist currently within SSSD


Version-Release number of selected component (if applicable): sssd-2.0


How Reproducible: Always

Steps to Reproduce:
These are the things that I'd like to perform.
 1. Able to do local login with user "testuser" and a local password
 2. Able to do a local login/unlock screen for user "testuser" using the
Kerberos Principal and Kerberos Password of a third party (Kerberos Principal
must be in ~/.k5login)
 3. Able to do a local login/unlock screen for user "testuser" using the
Kerberos Principal and Kerberos Password of a different person (Kerberos
Principal must be in ~/.k5login)
 4. Able to do a local login/unlock screen for user "testuser" via PKinit of a
smartcard for a Kerberos Principal of yet another different person (Kerberos
Principal must be in ~/.k5login)

Removal of user from ~/.k5login revokes their login/unlock access.

Attached video demonstrates steps 1-3 on the alternate pam_krb5

Actual Results:
I find no clear way to configure SSSD to support Steps 2-4


Expected Results:
Able to setup these complex login methods (SSSD already supports #1).
After login the user receives their own kerberos ticket and not the ticket of a
previous user.
Kerberos ticket is stored according to default_ccache_name (or setting from
pam_env KRB5CCNAME) from krb5.conf/[libdefaults]


Additional Information:

Features provided by:
 https://www.eyrie.org/~eagle/software/pam-krb5/

Builds off of:
 https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificat
es.html
 https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pkinit
.html
 https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authenti
cation_types.html
@yrro
Copy link
Contributor

yrro commented Apr 27, 2022

Dupe of #5293

@andreboscatto andreboscatto closed this as not planned Won't fix, can't repro, duplicate, stale Jul 31, 2023
@andreboscatto
Copy link
Contributor

Closed as Duplicate of #5293

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants