On Thu, Aug 23, 2018 at 10:29:29AM -0500, Pat Riehecky wrote:

I've been looking into using the sssd_krb5_localauth_plugin as part of a migration path off of pam_krb5.  However, I noticed that local provider appears to be leaving SSSD 2.0.

I've not fully gotten my head around how all the parts are inter-related, but is there a plan for what to do with this plugin's use of local IDs?

The localauth plugin and the local provider are not related.

The localauth plugin is needed to related Kerberos principals 'somename@KERBEROS.REALM' to user names of the local system. If e.g. someone want to log in via ssh with a valid Kerberos ticket to a system as user 'xyz' sshd on this system only sees the valid Kerberos ticket which (typically) contains no information about local Linux users. To not allow anybody with a valid Kerbeors ticket to log in as any user sshd has to decide if a Kerbeors ticket for the principal 'somename@KERBEROS.REALM' is allowed to log in as user 'xyz'. For this sshd uses libkrb5 and by default libkrb5 strips the realm part of the principal and checks if the result matches the local user name. This works in many cases but fails in others. To make a mapping possible in more complex environments SSSD tries to read the Kerberos principal of a user together with other data like shell and home directory from an LDAP server and make the mapping between the user name and the principal available to libkrb5 with the help of the localauth plugin.

HTH

bye, Sumit

Pat

-- Pat Riehecky

Fermi National Accelerator Laboratory www.fnal.gov www.scientificlinux.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....