You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 lines
6.1 KiB
102 lines
6.1 KiB
From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Wed, 21 Feb 2024 14:27:49 +0100
|
|
Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
|
|
|
|
This is still needed to support .k5login file with proxy domain. For
|
|
example:
|
|
|
|
```
|
|
[domain/proxy]
|
|
id_provider = proxy
|
|
proxy_lib_name = files
|
|
access_provider = krb5
|
|
auth_provider = krb5
|
|
krb5_server = kdc.test
|
|
krb5_realm = TEST
|
|
```
|
|
---
|
|
profiles/sssd/README | 10 ++++++++++
|
|
profiles/sssd/fingerprint-auth | 2 +-
|
|
profiles/sssd/password-auth | 2 +-
|
|
profiles/sssd/smartcard-auth | 2 +-
|
|
profiles/sssd/system-auth | 2 +-
|
|
5 files changed, 14 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
|
index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
|
|
--- a/profiles/sssd/README
|
|
+++ b/profiles/sssd/README
|
|
@@ -89,6 +89,16 @@ with-mdns4::
|
|
with-mdns6::
|
|
Enable multicast DNS over IPv6.
|
|
|
|
+with-files-access-provider:: If set, account management for local users is
|
|
+ handled also by pam_sss. This can be used to support SSSD's proxy domain
|
|
+ that is configured to serve users from local files but provide
|
|
+ authentication and access management (.k5login file) via Kerberos.
|
|
+
|
|
+ *WARNING:* SSSD access check will become mandatory for local users and
|
|
+ if SSSD is stopped then local users will not be able to log in. Only
|
|
+ system accounts (as defined by pam_usertype, including root) will be
|
|
+ able to log in.
|
|
+
|
|
with-gssapi::
|
|
If set, pam_sss_gss module is enabled to perform user authentication over
|
|
GSSAPI.
|
|
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
|
|
index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
|
|
--- a/profiles/sssd/fingerprint-auth
|
|
+++ b/profiles/sssd/fingerprint-auth
|
|
@@ -11,7 +11,7 @@ auth required pam_deny.so
|
|
account required pam_access.so {include if "with-pamaccess"}
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so
|
|
-account sufficient pam_localuser.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
account sufficient pam_usertype.so issystem
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
|
index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
|
|
--- a/profiles/sssd/password-auth
|
|
+++ b/profiles/sssd/password-auth
|
|
@@ -18,7 +18,7 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
|
account required pam_unix.so
|
|
-account sufficient pam_localuser.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
account sufficient pam_usertype.so issystem
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
|
|
index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
|
|
--- a/profiles/sssd/smartcard-auth
|
|
+++ b/profiles/sssd/smartcard-auth
|
|
@@ -11,7 +11,7 @@ auth required pam_deny.so
|
|
account required pam_access.so {include if "with-pamaccess"}
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so
|
|
-account sufficient pam_localuser.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
account sufficient pam_usertype.so issystem
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
|
index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
|
|
--- a/profiles/sssd/system-auth
|
|
+++ b/profiles/sssd/system-auth
|
|
@@ -25,7 +25,7 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
|
|
account required pam_unix.so
|
|
-account sufficient pam_localuser.so
|
|
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
|
|
account sufficient pam_usertype.so issystem
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
--
|
|
2.42.0
|
|
|