kerberos offline authentication doesn't work with pam_krb5

Issues related to applications and software problems and general support
Post Reply
jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

kerberos offline authentication doesn't work with pam_krb5

Post by jgauthier » 2020/03/10 20:47:59

Hello,

I have a problem that is related to another issue I posted here a few months ago (still no resolved: viewtopic.php?t=72255).

The long short-story is that I am unable to make sssd authentication working with Kerberos on CentOS 8 beside ssh connection. I mean, it works for ssh connection login but sudo and local X11 session login are not working when using kerberos credentials (but for some reason it works flawlessly on CentOS 7).

So to make everything working on my CentOS 8 machines (ssh, sudo and local X session) I have to install a pam_krb5 rpm from CentOS 7 and by doing that everything was working fine until I discovered that the kerberos credential caching is not working with this configuration. If the computer is offline there is no way to login with the Kerberos password. I first thought it was a CentOS 8 issue related to the sssd problem but to make sure I tried with one of my CentOS 7 machines and it turns out that the caching works just fine with sssd but as soon as I enable pam_krb5 it stops working too.

So I am in a frustrating situation in which sssd would solve the problem but is not working with CentOS 8 and caching is not working at all when I use pam_krb5 (neither on Cent 7 or Cent 8). If I could either solve the sssd issue on Cent 8 or the pam_krb5 ccache problem I would be good but so far I am out of luck for both.

For sssd I know we only need to put

default_ccache_name = KEYRING:persistent:%{uid}

in the krb5.conf and

cache_credentials = True
krb5_store_password_if_offline = True


in the sssd.conf (and it's working on my CentOS 7 machines) but I am not sure what I should do to make it work with pam_krb5. Is there anything special I need to do? By the way, to switch from sssd to pam_krb5 I just change this line in system-auth and password-auth:

auth sufficient pam_krb5.so forward_pass

I suspect the solution is somewhere in the pam.d but I am not sure. Any idea? Thanks a lot!

afewgoodman
Posts: 98
Joined: 2019/12/11 03:51:58

Re: kerberos offline authentication doesn't work with pam_krb5

Post by afewgoodman » 2020/03/11 08:05:42

Hi,

I think pam_krb5 would be deprecated in th RHEL7 and RHEL8.
BR.

jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos offline authentication doesn't work with pam_krb5

Post by jgauthier » 2020/03/11 14:39:32

Hi,

Yes I know that and it's why I have been trying to make sssd working with Kerberos on CentOS 8 for several months but it doesn't work (beside for ssh connections). It's also why I had to install a pam_krb5 rpm that I found online. It's the only way I have to make my authentication system working and I thought it would be good enough until I found this credential caching issue with pam_krb5.

I already wrote that in the other post but it doesn't make any sense to me that both pam_krb5 and sssd are working on CentOS 7 but pam_krb5 is deprecated and not available anymore on CentOS 8 but the service that is supposed to replace it (sssd) is no longer working!

I even tried to copy all the related files (sssd.conf, krb5.conf, system-auth, password-auth) from a sssd working CentOS 7 computer to a CentOS 8 one but still same issue (authentication works only for ssh unless I use pam_krb5). So either it's a bug in CentOS 8 or it needs a different configuration that is not explained anywhere in the sssd documentation.

By the way I am not the only one in this situation since someone else wrote in my other post that he has the same issue and cannot find any solution. I mention that because it lowers the probability that I am just dumb and doing something wrong (but it doesn't rule it out so there is still a chance that I am just totally stupid :? ).


jgauthier
Posts: 28
Joined: 2019/10/24 21:40:14

Re: kerberos offline authentication doesn't work with pam_krb5

Post by jgauthier » 2020/03/15 18:39:27

Thank you for trying to help but I already read this page months ago and it doesn't help. As I said, sssd is working just fine on my CentOS 7 computers so my problem is not due to a lack of overall knowledge, it's a problem with CentOS 8. Again:

sssd+kerberos+CentOS7 = everything works flawlessly

sssd+Kerberos+CentOS8 = not working

CentOS 8 is out for 6 months, 8.1 is out too but the problem remains and nobody is able to help neither know what is going on.

I am sorry if I sound frustrated but I work on this problem since October 2019 and no progress at all yet beside the pam_krb5 rpm solution but this one can be only a temporary solution and we need to make sssd working at a certain point.

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: kerberos offline authentication doesn't work with pam_krb5

Post by jscarville » 2021/04/26 22:00:28

If you are still beating your head against this...

After much trial and error, I was able to get sssd to work with kerberos by creating /etc/sssd/sssd.conf with the following

Code: Select all

[sssd]
  config_file_version = 2
  domains = LOCAL
  services = nss, pam

[domain/LOCAL]
  id_provider = files
  auth_provider = krb5
  krb5_server = kdc01.lereta.net
  krb5_realm = TOTALFLOOD.COM
  cache_credentials = true
  enumerate = false

[nss]
  filter_groups = root
  filter_users = root
  reconnection_retries = 3

[pam]
  reconnection_retries = 3
  offline_credentials_expiration = 2
  offline_failed_login_attempts = 3
  offline_failed_login_delay = 5

Post Reply