You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1623624
Created attachment 1479559
Video demonstrating login process
Description of problem:
I'm looking for a way to emulate the existing group account login system we are
using within SSSD.
I believe this is an RFE as the features do not exist currently within SSSD
Version-Release number of selected component (if applicable): sssd-2.0
How Reproducible: Always
Steps to Reproduce:
These are the things that I'd like to perform.
1. Able to do local login with user "testuser" and a local password
2. Able to do a local login/unlock screen for user "testuser" using the
Kerberos Principal and Kerberos Password of a third party (Kerberos Principal
must be in ~/.k5login)
3. Able to do a local login/unlock screen for user "testuser" using the
Kerberos Principal and Kerberos Password of a different person (Kerberos
Principal must be in ~/.k5login)
4. Able to do a local login/unlock screen for user "testuser" via PKinit of a
smartcard for a Kerberos Principal of yet another different person (Kerberos
Principal must be in ~/.k5login)
Removal of user from ~/.k5login revokes their login/unlock access.
Attached video demonstrates steps 1-3 on the alternate pam_krb5
Actual Results:
I find no clear way to configure SSSD to support Steps 2-4
Expected Results:
Able to setup these complex login methods (SSSD already supports #1).
After login the user receives their own kerberos ticket and not the ticket of a
previous user.
Kerberos ticket is stored according to default_ccache_name (or setting from
pam_env KRB5CCNAME) from krb5.conf/[libdefaults]
Additional Information:
Features provided by:
https://www.eyrie.org/~eagle/software/pam-krb5/
Builds off of:
https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificat
es.html
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pkinit
.html
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authenti
cation_types.html
The text was updated successfully, but these errors were encountered:
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1623624
The text was updated successfully, but these errors were encountered: