You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MIT Kerberos PR krb5/krb5#1359 adds support to run KDC locally and only accessible over a UNIX domain socket. SSSD krb5 auth provider cannot currently accept UNIX domain socket path as an address of KDC.
You can use COPR asn/localkdc to test SSSD changes against. This COPR repository provides custom MIT Kerberos build (as well as Samba build to support IAKERB to work with local KDCs but this is unrelated to UNIX domain socket support) and localkdc package that allows easy setup of the local KDC. The latter currently requires SELinux permissive mode (just a warning, as we are working on the policy extensions).
The text was updated successfully, but these errors were encountered:
root@sambakdc:~# dnf install localkdc
[...]
root@sambakdc:~# localkdc-setup
[...]
Successfully set up localkdc
root@sambakdc:~# localkdc-kadmin
Authenticating as principal [root/admin@SAMBAKDC.LOCALKDC.SITE](mailto:root/admin@SAMBAKDC.LOCALKDC.SITE) with password.
kadmin.local: add_principal asn
No policy specified for [asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE); defaulting to no policy
Enter password for principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)":
Re-enter password for principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)":
Principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)" created.
kadmin.local:
root@sambakdc:~# systemctl start loalkdc.socket
As a user:
Get krbtgt and connect
$ kinit asn@SAMBAKDC.LOCALKDC.SITE
I guess there are still few cases where krb5_server might be inserted into KDC info, for example, if somebody would not put krb5_use_kdcinfo = false. I think it would be nice to change SSSD code to automatically derive right settings in case auth_provider = krb5 and krb5_server is set to use UNIX domain socket path.
Another part is to make sure a password change works properly as well -- haven't tried that yet.
MIT Kerberos PR krb5/krb5#1359 adds support to run KDC locally and only accessible over a UNIX domain socket. SSSD krb5 auth provider cannot currently accept UNIX domain socket path as an address of KDC.
You can use COPR asn/localkdc to test SSSD changes against. This COPR repository provides custom MIT Kerberos build (as well as Samba build to support IAKERB to work with local KDCs but this is unrelated to UNIX domain socket support) and localkdc package that allows easy setup of the local KDC. The latter currently requires SELinux permissive mode (just a warning, as we are working on the policy extensions).
The text was updated successfully, but these errors were encountered: