From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Wed, 21 Feb 2024 14:27:49 +0100 Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider This is still needed to support .k5login file with proxy domain. For example: ``` [domain/proxy] id_provider = proxy proxy_lib_name = files access_provider = krb5 auth_provider = krb5 krb5_server = kdc.test krb5_realm = TEST ``` --- profiles/sssd/README | 10 ++++++++++ profiles/sssd/fingerprint-auth | 2 +- profiles/sssd/password-auth | 2 +- profiles/sssd/smartcard-auth | 2 +- profiles/sssd/system-auth | 2 +- 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/profiles/sssd/README b/profiles/sssd/README index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -89,6 +89,16 @@ with-mdns4:: with-mdns6:: Enable multicast DNS over IPv6. +with-files-access-provider:: If set, account management for local users is + handled also by pam_sss. This can be used to support SSSD's proxy domain + that is configured to serve users from local files but provide + authentication and access management (.k5login file) via Kerberos. + + *WARNING:* SSSD access check will become mandatory for local users and + if SSSD is stopped then local users will not be able to log in. Only + system accounts (as defined by pam_usertype, including root) will be + able to log in. + with-gssapi:: If set, pam_sss_gss module is enabled to perform user authentication over GSSAPI. diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644 --- a/profiles/sssd/fingerprint-auth +++ b/profiles/sssd/fingerprint-auth @@ -11,7 +11,7 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so -account sufficient pam_localuser.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -18,7 +18,7 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so -account sufficient pam_localuser.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644 --- a/profiles/sssd/smartcard-auth +++ b/profiles/sssd/smartcard-auth @@ -11,7 +11,7 @@ auth required pam_deny.so account required pam_access.so {include if "with-pamaccess"} account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so -account sufficient pam_localuser.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -25,7 +25,7 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account sufficient pam_systemd_home.so {include if "with-systemd-homed"} account required pam_unix.so -account sufficient pam_localuser.so +account sufficient pam_localuser.so {exclude if "with-files-access-provider"} account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -- 2.42.0