Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support access to Kerberos KDC over UNIX domain socket #7723

Open
abbra opened this issue Nov 27, 2024 · 2 comments
Open

Support access to Kerberos KDC over UNIX domain socket #7723

abbra opened this issue Nov 27, 2024 · 2 comments

Comments

@abbra
Copy link
Contributor

abbra commented Nov 27, 2024

MIT Kerberos PR krb5/krb5#1359 adds support to run KDC locally and only accessible over a UNIX domain socket. SSSD krb5 auth provider cannot currently accept UNIX domain socket path as an address of KDC.

You can use COPR asn/localkdc to test SSSD changes against. This COPR repository provides custom MIT Kerberos build (as well as Samba build to support IAKERB to work with local KDCs but this is unrelated to UNIX domain socket support) and localkdc package that allows easy setup of the local KDC. The latter currently requires SELinux permissive mode (just a warning, as we are working on the policy extensions).

@cryptomilk
Copy link
Contributor

root@sambakdc:~# dnf install localkdc
[...]
root@sambakdc:~# localkdc-setup
[...]
Successfully set up localkdc

root@sambakdc:~# localkdc-kadmin 
Authenticating as principal [root/admin@SAMBAKDC.LOCALKDC.SITE](mailto:root/admin@SAMBAKDC.LOCALKDC.SITE) with password.
kadmin.local:  add_principal asn
No policy specified for [asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE); defaulting to no policy
Enter password for principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)": 
Re-enter password for principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)": 
Principal "[asn@SAMBAKDC.LOCALKDC.SITE](mailto:asn@SAMBAKDC.LOCALKDC.SITE)" created.
kadmin.local:

root@sambakdc:~# systemctl start loalkdc.socket

As a user:

Get krbtgt and connect
$ kinit asn@SAMBAKDC.LOCALKDC.SITE

@abbra
Copy link
Contributor Author

abbra commented Jan 26, 2025

So I've got an unmodified SSSD to work with UNIX domain socket-based KDC.
My current configuration of a domain boils down to the following setup:

[domain/localkdc]
    pam_gssapi_check_upn = False
    krb5_use_kdcinfo = false
    id_provider = proxy
    proxy_lib_name = files
    auth_provider = krb5
    krb5_server = /run/localkdc/kdc.sock
    krb5_realm = %REALM%
    krb5_keytab = /etc/krb5.keytab

I guess there are still few cases where krb5_server might be inserted into KDC info, for example, if somebody would not put krb5_use_kdcinfo = false. I think it would be nice to change SSSD code to automatically derive right settings in case auth_provider = krb5 and krb5_server is set to use UNIX domain socket path.

Another part is to make sure a password change works properly as well -- haven't tried that yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants