Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect a UNIX domain socket is used for KDC access and return KRB5_PLUGIN_NO_HANDLE in SSSD krb5 locator plugin #7724

Open
abbra opened this issue Nov 27, 2024 · 2 comments
Open

Detect a UNIX domain socket is used for KDC access and return KRB5_PLUGIN_NO_HANDLE in SSSD krb5 locator plugin #7724

abbra opened this issue Nov 27, 2024 · 2 comments

Comments

@abbra
Copy link
Contributor

abbra commented Nov 27, 2024

MIT Kerberos PR krb5/krb5#1359 adds support to run KDC locally and only accessible over a UNIX domain socket. When SSSD krb5 locator plugin is in use, it should prefer using UNIX domain socket if it is configured and return KRB5_PLUGIN_NO_HANDLE to allow MIT Kerberos to fall back to use UNIX domain socket.

Right now SSSD krb5 locator plugin has to be explicitly disabled to allow use on IPA servers which enabled UNIX domain socket in their KDC/krb5.conf configuration.

You can use COPR asn/localkdc to test SSSD changes against. This COPR repository provides custom MIT Kerberos build (as well as Samba build to support IAKERB to work with local KDCs but this is unrelated to UNIX domain socket support) and localkdc package that allows easy setup of the local KDC. The latter currently requires SELinux permissive mode (just a warning, as we are working on the policy extensions).

For IPA server, just update krb5 (and samba) packages from the COPR asn/localkdc and add the following in /var/kerberos/krb5kdc/kdc.conf:

[realms]
IPA.REALM = {
...
      kdc_unixsock_listen = /run/krb5kdc.sock
}

and the following additional line in /etc/krb5.conf:

[realms]
IPA.REALM = {
    kdc = /run/krb5kdc.sock
    ...
}
@sumit-bose
Copy link
Contributor

Hi,

thanks for the report. What kind of detection are you envision? Would it be sufficient to check if there is a kdc option for the given realm and check if there is a value starting with /? What about the case if the UNIX domain socket is only one of the values of the kdc option?

bye,
Sumit

@abbra
Copy link
Contributor Author

abbra commented Nov 27, 2024

I think checking if UNIX domain socket is present as one of the values is enough. It is not necessary to be the first one, though, but consider this:

  • current locator plugin interface cannot handle non-IP transports anyway (only IPv4 and IPv6, not HTTPS ones, for example)
  • if UNIX domain socket is configured for this domain, it is local, so it could be preferred. This is particularly true for IPA servers where we do not want to contact other servers at all.

May be instead of the check in locator plugin, SSSD would treat this case as it does currently for krb5_use_kdcinfo=False?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abbra @sumit-bose