[FFe]: Enable sssd-secrets service
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
Please enable the sssd-secrets service. This needs the MIR for http-parser (#1638957) to pass.
[Rationale]
From the MIR bug (#1638957):
The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry.
The secrets service can be used as a generic key/value database for secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option to store the credentials in a cache that persists reboots, as opposed to when it's stored in the kernel keyring or in /tmp, when that is a tmpfs.
sssd-secrets can also use a remote Custodia [https:/
sssd-secrets is unix socket activated and won't be running until there is a connection to that socket.
[Testing]
This is the testing that was done. Only the local store was tested, not the Custodia remote server case.
During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https:/
Quick simple test
=================
sudo add-apt-repository -y -u ppa:ahasenack/
sudo apt install sssd
# Store a secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/
<html>
<head>
<title>200 OK</title></head>
<body>
<h1>OK</h1>
<p>Success</p>
</body>
# retrieve the secret
$ curl -H "Content-Type: application/json" --unix-socket /var/run/
{
"type": "simple",
"value": "foosecret"
}
# try to retrieve the same secret but as a different user won't work because secrets are per user
$ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/
<html>
<head>
<title>404 Not Found</
<body>
<h1>Not Found</h1>
<p>The requested resource was not found.</p>
</body>
Extended test
=============
This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).
sudo add-apt-repository -y -u ppa:ahasenack/
sudo apt install sssd sssd-kcm
# use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
sudo apt install krb5-user krb5-kdc krb5-admin-server
# the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
sudo krb5_newrealm
# create a kerberos principal. This uses "secret" as a password
sudo kadmin.local -q "addprinc -pw secret ubuntu"
# edit /etc/krb5.conf and tell the library to use KCM by default
[libdefaults]
# create /etc/sssd/sssd.conf with these contents:
[sssd]
config_file_version = 2
services = pam
domains = example.com
[pam]
[domain/
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = localhost
krb5_realm = EXAMPLE.COM
# adjust permissions
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
# (re)start sssd
sudo systemctl restart sssd
# test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
ubuntu@
Password for <email address hidden>:
ubuntu@
Ticket cache: KCM:1000
Default principal: <email address hidden>
Valid starting Expires Service principal
03/08/18 13:09:12 03/08/18 23:09:12 <email address hidden>
renew until 03/09/18 13:09:10
# install ldb-tools
sudo apt install ldb-tools
# perform a search on the secrets database to see the entry created by kcm
$ sudo ldbsearch -H /var/lib/
# record 1
dn: cn=3615a3ca-
# record 2
dn: cn=ccache,
# returned 2 records
# 2 entries
# 0 referrals
# destroy the kerberos ticket and confirm it's gone from the secrets database
ubuntu@
ubuntu@
# returned 0 records
# 0 entries
# 0 referrals
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 115 lines (+20/-7)6 files modifieddebian/changelog (+11/-0)
debian/control (+1/-0)
debian/rules (+1/-6)
debian/sssd-common.dirs (+1/-0)
debian/sssd-common.install (+4/-0)
debian/sssd-common.postinst (+2/-1)
description: | updated |
description: | updated |
Changed in sssd (Ubuntu): | |
status: | In Progress → New |
I see the MIR for http-parser is still not approved. If it gets the MIR team approval I would be fine with accepting the FFe.