Hi,
I've got a question that seems pretty trivial to me so it feels like I'm missing something obvious.
I know that there are different provider types: id, auth, chpass, access (and maybe others)
But what I don't quite understand is what they actually do. The documentation says:
id -> "The identification provider" auth -> "The authentication provider" access -> "The access control provider" chpass -> "The provider which should handle change password operations for the domain."
(The first three are not very helpful ;-) ) I understand chpass and I can make a guess about the others but I'm not sure:
id: Just returns information about some object auth: Validates credentials for an object access: Checks authorization?
But I'm very vague on the details. Is there any more information I can refer to? What are the differences/can anyone point me at an API description or some other documentation?
One very specific question for example: What does the krb5 auth mean? Does it retrieve a ticket and try to decrypt that?
Thank you!
Cheers, Lars
On Mon, Jan 6, 2020 at 10:25 AM Lars Francke lars.francke@gmail.com wrote:
Hi,
I've got a question that seems pretty trivial to me so it feels like I'm missing something obvious.
I know that there are different provider types: id, auth, chpass, access (and maybe others)
But what I don't quite understand is what they actually do. The documentation says:
id -> "The identification provider" auth -> "The authentication provider" access -> "The access control provider" chpass -> "The provider which should handle change password operations for the domain."
(The first three are not very helpful ;-) )
I understand chpass and I can make a guess about the others but I'm not sure:
id: Just returns information about some object
With the caveat that I am not an sssd developer and the following information is from my own understanding only:
The id provider is the backend that sssd uses to provide identity information.
The most common instance where identity information is required is the (getpwnam, getpwuid, getgrnam, getgrgid) glibc library functions. When /etc/nsswitch.conf contains:
passwd: sss files systemd group: sss files systemd
…then these glibc library functions will first call sssd to attempt to look up users/uids/groups/gids. The mechanism that sssd uses to perform the resolution is determined by the “id_provider” setting and the various options that the selected id provider mechanism supports.
As another example, if you are using NFSv4 with RPCSEC_GSS authentication, and /etc/idmapd.conf contains:
[Translation] Method = sss
…then rpc.idmapd(8) will call sssd in order to translate between NFSv4 symbolic names (what the NFSv4 protocol uses on the wire when RPCSEC_GSS is in use) and uids/gids.
auth: Validates credentials for an object
The auth provider is the backend that sssd uses to provide PAM “auth” module services for applications that are configured to call pam_sss.so in the PAM auth stack. E.g.:
auth required pam_sss.so
There may be other instances where sssd is called upon to provide authentication services, but I’m not coming up with any off the top of my head. (The PAM auth stack is the most common case.)
access: Checks authorization?
The access provider is the backend that sssd uses to provide PAM “account” module services for applications that are configured to call pam_sss.so in the PAM account stack. E.g.:
account required pam_sss.so
But I'm very vague on the details. Is there any more information I can refer to?
The sssd man pages, most specifically sssd.conf(5), are good places to start.
What are the differences/can anyone point me at an API description or some other documentation?
Try:
https://docs.pagure.org/SSSD.sssd/developers/internals.html
…and the pages that are in the navigation column on the left of the above page.
One very specific question for example: What does the krb5 auth mean? Does it retrieve a ticket and try to decrypt that?
Setting “auth_provider = krb5” means that sssd will attempt Kerberos authentication if sssd is called upon to authenticate a user, such as when pam_sss.so is called in the PAM auth stack for an application.
James, thank you for the prompt and detailed response! Answers/questions inline.
On Tue, Jan 7, 2020 at 6:39 AM James Ralston ralston@pobox.com wrote:
On Mon, Jan 6, 2020 at 10:25 AM Lars Francke lars.francke@gmail.com wrote:
Hi,
I've got a question that seems pretty trivial to me so it feels like I'm missing something obvious.
I know that there are different provider types: id, auth, chpass, access (and maybe others)
But what I don't quite understand is what they actually do. The documentation says:
id -> "The identification provider" auth -> "The authentication provider" access -> "The access control provider" chpass -> "The provider which should handle change password operations for the domain."
(The first three are not very helpful ;-) )
I understand chpass and I can make a guess about the others but I'm not sure:
id: Just returns information about some object
With the caveat that I am not an sssd developer and the following information is from my own understanding only:
The id provider is the backend that sssd uses to provide identity information.
The most common instance where identity information is required is the (getpwnam, getpwuid, getgrnam, getgrgid) glibc library functions. When /etc/nsswitch.conf contains:
passwd: sss files systemd group: sss files systemd
…then these glibc library functions will first call sssd to attempt to look up users/uids/groups/gids. The mechanism that sssd uses to perform the resolution is determined by the “id_provider” setting and the various options that the selected id provider mechanism supports.
As another example, if you are using NFSv4 with RPCSEC_GSS authentication, and /etc/idmapd.conf contains:
[Translation] Method = sss
…then rpc.idmapd(8) will call sssd in order to translate between NFSv4 symbolic names (what the NFSv4 protocol uses on the wire when RPCSEC_GSS is in use) and uids/gids.
Makes sense, thank you.
auth: Validates credentials for an object
The auth provider is the backend that sssd uses to provide PAM “auth” module services for applications that are configured to call pam_sss.so in the PAM auth stack. E.g.:
auth required pam_sss.so
There may be other instances where sssd is called upon to provide authentication services, but I’m not coming up with any off the top of my head. (The PAM auth stack is the most common case.)
Okay, and I assume that this sometimes relies on the id_provider for some information.
access: Checks authorization?
The access provider is the backend that sssd uses to provide PAM “account” module services for applications that are configured to call pam_sss.so in the PAM account stack. E.g.:
account required pam_sss.so
But I'm very vague on the details. Is there any more information I can refer to?
The sssd man pages, most specifically sssd.conf(5), are good places to start.
What are the differences/can anyone point me at an API description or some other documentation?
Try:
https://docs.pagure.org/SSSD.sssd/developers/internals.html
…and the pages that are in the navigation column on the left of the above page.
One very specific question for example: What does the krb5 auth mean? Does it retrieve a ticket and try to decrypt that?
Setting “auth_provider = krb5” means that sssd will attempt Kerberos authentication if sssd is called upon to authenticate a user, such as when pam_sss.so is called in the PAM auth stack for an application.
Yeah, but this I don't understand. Kerberos authentication is a pretty broad description. Does it just fetch a TGT? Because if Preauthentication is disabled in Kerberos then anyone can request one so that can't be sufficient. It also needs to try and decrypt it. Does it store it in the local ticket cache etc....
I looked at the man pages but there are no details to be found :(
Cheers, Lars
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Jan 9, 2020 at 7:59 AM Lars Francke lars.francke@gmail.com wrote:
auth: Validates credentials for an object
The auth provider is the backend that sssd uses to provide PAM “auth” module services for applications that are configured to call pam_sss.so in the PAM auth stack. E.g.:
auth required pam_sss.so
There may be other instances where sssd is called upon to provide authentication services, but I’m not coming up with any off the top of my head. (The PAM auth stack is the most common case.)
Okay, and I assume that this sometimes relies on the id_provider for some information.
For the common case of using Kerberos for authentication and LDAP for identity, no. Unless you are performing PKINIT, all you need in order to perform Kerberos authentication is the principal to authenticate and the KDC servers to contact. You don’t need any information from LDAP.
One very specific question for example: What does the krb5 auth mean? Does it retrieve a ticket and try to decrypt that?
Setting “auth_provider = krb5” means that sssd will attempt Kerberos authentication if sssd is called upon to authenticate a user, such as when pam_sss.so is called in the PAM auth stack for an application.
Yeah, but this I don’t understand. Kerberos authentication is a pretty broad description.
Not really. Kerberos authentication means Kerberos authentication. There are multiple RFCs for it, starting with RFC1510 (now obsolete).
Does it just fetch a TGT?
No; it performs an AS-REQ and decrypts the enc-part of the AS-REP in order to extract the session key and TGT.
This might help:
http://www.securityandit.com/network/kerberos-protocol-understanding/
Because if Preauthentication is disabled in Kerberos then anyone can request one so that can’t be sufficient. It also needs to try and decrypt it.
That’s what the protocol requires, yes.
Does it store it in the local ticket cache etc…
I looked at the man pages but there are no details to be found :(
The sssd-krb5(5) man page describes the (many) options sssd has related to Kerberos credential caching, credential refreshing, et. al. E.g.:
krb5_ccname_template (string) krb5_lifetime (string) krb5_renew_interval (string) krb5_store_password_if_offline (boolean)
Is that documentation not sufficient to answer your questions?
sssd-users@lists.fedorahosted.org