0

I'm having trouble with Kerberos and Ubuntu 20.04.
Im running a FreeIPA Server, but since it works on my Centos machines, I guess it's a client issue.

The big goal is to have a SSO System, for multiple services. Mostly it works as intended, but one thing refuses to work for me:
Getting automount/ autofs to accept my configuration for Kerberos. One major problem is, that autofs cannot read the KRB5CCNAME environment variable. It always uses the libdefault, which would be fine, if Ubuntu would also do that. However, for some reason, no matter what I try, Ubuntu does not set the KRB5CCNAME env. var. during the sign on part correctly, but always defaults to FILE:/tmp/krb5cc_\<UID>_\<VALUE>.
I would prefer to use the keyring, so I wrote default_ccache_name = KEYRING:persistent:%{uid} in the krb5.conf in the libdefaults section. When manually setting the KRB5CCNAME everything is just fine and automount connects to my samba drives.
But letting the system decide, what the variable should contain, always results in FILE:...

My clients krb5.conf looks like this:

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5.log

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  ccache_type = 4

[realms]
  EXAMPLE.COM = {
    kdc = ipa.example.com:80
    master_kdc = ipa.example.com:88
    admin_server = ipa.example.com:749
    kpasswd_server = ipa.example.com:464
    default_domain = example.com
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .example.com = <EXAMPLE.COM>
  example.com = <EXAMPLE.COM>
  client.example.com = <EXAMPLE.COM>

The SSSD Config:

[domain/example.com]
debug_level=10
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = EXAMPLE.COM
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_search_base = cn=accounts,dc=example,dc=com
krb5_ccname_template = KEYRING:persistent:%U

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = example.com
debug_level=10
[nss]
override_shell = /bin/bash

[pam]
offline_credentials_expiration = 60
debug_level=10

[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_access_filter = (objectClass=posixAccount)
debug_level=10
[ssh]

[sudo]

Any ideas?

Poehli
  • 103
  • 3
  • Are you connecting via SSH using GSSAPI credential delegation? – user1686 Dec 13 '20 at 17:40
  • No, I'm not using SSH at all to logon to the machine. Just a regular gdm3 gui login. – Poehli Dec 13 '20 at 19:19
  • What PAM modules are installed – do you use pam_krb5 alongside SSSD? – user1686 Dec 13 '20 at 22:52
  • I installed everything with the freeipa-client package from the repo. It installed pam_krb5 and used it in common-password, -account, -session(-interactive) and -auth. sss is used in common-password, -account, -session, -auth and in some .pam-olds, which are backups I assume – Poehli Dec 13 '20 at 23:26

1 Answers1

1

always defaults to FILE:/tmp/krb5cc_<UID>_<VALUE>

If KRB5CCNAME points to a cache with a random suffix, this indicates that some software has decided to explicitly set up an isolated cache instead of using the default.

(The default value isn't put in KRB5CCNAME at all – its purpose is to be used when the environment variable is absent. On top of that, if it were using the traditional default path, you would actually get FILE:/tmp/krb5cc_<UID> with no extra random value at the end.)

I installed everything with the freeipa-client package from the repo. It installed pam_krb5 and used it in common-password, -account, -session(-interactive) and -auth. sss is used in common-password, -account, -session, -auth and in some .pam-olds

Your issue is that the password is verified against Kerberos by two independent modules: once by pam_sss (SSSD) and once by pam_krb5. Both of them use unique per-session caches and both of them will set KRB5CCNAME to such a temporary file-based cache path.

Ideally you shouldn't use pam_krb5 at all – the same tasks are already done by SSSD as part of its FreeIPA integration. Consider disabling pam_krb5 in all PAM configurations if they already invoke pam_sss in the same section.

If that is not possible, pam_krb5 has its own parameter for the per-session cache template, which can be set in /etc/krb5.conf (or directly within PAM configuration, but that's not as convenient):

  • Russ Allbery's pam_krb5 (used by Debian/Ubuntu/Arch):

    [appdefaults]
    pam = {
        ccache = KEYRING:persistent:%u
    }

  • Fedora's pam_krb5:

    [appdefaults]
    pam = {
        ccname_template = KEYRING:persistent:%U
    }

Finally, note that when you ssh into a server with GSSAPI auth and delegation enabled (e.g. by using ssh -K), the sshd itself stores the delegated TGT into a unique per-session cache. This behavior is hardcoded in sshd and cannot be changed.

user1686
  • 8,717
  • 25
  • 38
  • Awesome, thanks! I still don't understand why the krb5 pam set the wrong value, but removing it fixed my problem. And I get now, that it makes no sense that krb5 and sss are used. Would be awesome, if you had a suggestion, why the variable was wrong. – Poehli Dec 14 '20 at 18:12
  • I think you misunderstood the purpose of `default_ccache_name`. That's not the default value that KRB5CCNAME should be set to – it's the value that would be used if the cache name _weren't_ set. Indeed the whole point of pam_krb5 setting a custom KRB5CCNAME is to _avoid_ using the default cache! – user1686 Dec 14 '20 at 19:40