[Bug 1754365] Re: [FFe]: Enable sssd-secrets service

Andreas Hasenack andreas at canonical.com
Thu Mar 8 15:37:01 UTC 2018 

** Description changed:

  Please enable the sssd-secrets service. This needs the MIR for http-
  parser (#1638957) to pass.
  
+ [Rationale]
+ From the MIR bug (#1638957):
+ The Debian sssd package has the secrets service enabled, and disabling it in the Ubuntu package is part of the delta we carry.
+ 
+ The secrets service can be used as a generic key/value database for
+ secrets, and one of its consumers is a kerberos KDC via KCM (Kerberos
+ Cache Manager), implemented by sssd-kcm. sssd-kcm gives users an option
+ to store the credentials in a cache that persists reboots, as opposed to
+ when it's stored in the kernel keyring or in /tmp, when that is a tmpfs.
+ 
+ sssd-secrets can also use a remote Custodia
+ [https://github.com/simo5/custodia] (in Universe) server to store its
+ secrets there.
+ 
+ sssd-secrets is unix socket activated and won't be running until there
+ is a connection to that socket.
+ 
+ 
  [Testing]
- This is the testing that was done.
- During testing, I found a related bug and filed a bug in debian about it with a related MP in salsa (https://bugs.debian.org/892315).
+ This is the testing that was done. Only the local store was tested, not the Custodia remote server case.
+ 
+ During testing, I found a related bug and filed a bug in debian about it
+ with a related MP in salsa (https://bugs.debian.org/892315).
  
  Quick simple test
  =================
  sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
  sudo apt install sssd
  
  # Store a secret
  $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XPUT http://localhost/secrets/foo -d'{"type":"simple","value":"foosecret"}';echo
  <html>
  <head>
  <title>200 OK</title></head>
  <body>
  <h1>OK</h1>
  <p>Success</p>
  </body>
  
  # retrieve the secret
  $ curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
  {
-     "type": "simple",
-     "value": "foosecret"
+     "type": "simple",
+     "value": "foosecret"
  }
  
  # try to retrieve the same secret but as a different user won't work because secrets are per user
  $ sudo curl -H "Content-Type: application/json" --unix-socket /var/run/secrets.socket -XGET http://localhost/secrets/foo;echo
  <html>
  <head>
  <title>404 Not Found</title></head>
  <body>
  <h1>Not Found</h1>
  <p>The requested resource was not found.</p>
  </body>
  
  Extended test
  =============
  This is a more extended version of this verification and it tests the integration of the secrets service between three services: the secrets service itself, MIT kerberos client libraries, and the sssd-kcm service (kerberos cache manager).
  
  sudo add-apt-repository -y -u ppa:ahasenack/sssd-secrets-1638957
  sudo apt install sssd sssd-kcm
  
  # use EXAMPLE.COM for the kerberos realm, and localhost for the admin and kdc servers, when prompted
  sudo apt install krb5-user krb5-kdc krb5-admin-server
  
  # the kdc will fail to start because there is no realm yet, that's ok. We will create it now. Use whatever password you want
  sudo krb5_newrealm
  
  # create a kerberos principal. This uses "secret" as a password
  sudo kadmin.local -q "addprinc -pw secret ubuntu"
  
  # edit /etc/krb5.conf and tell the library to use KCM by default
  [libdefaults]
-         default_ccache_name = KCM: # <-- add this line
+         default_ccache_name = KCM: # <-- add this line
  
  # create /etc/sssd/sssd.conf with these contents:
  [sssd]
  config_file_version = 2
  services = pam
  domains = example.com
  
  [pam]
  
  [domain/example.com]
  id_provider = proxy
  proxy_lib_name = files
  auth_provider = krb5
  krb5_server = localhost
  krb5_realm = EXAMPLE.COM
  
  # adjust permissions
  sudo chmod 0600 /etc/sssd/sssd.conf
  sudo chown root:root /etc/sssd/sssd.conf
  
  # (re)start sssd
  sudo systemctl restart sssd
  
  # test getting a ticket for "ubuntu". Notice how the cache is using "KCM":
  ubuntu at bionic-sssd-http-parser:~$ kinit
  Password for ubuntu at EXAMPLE.COM:
  
  ubuntu at bionic-sssd-http-parser:~$ klist
  Ticket cache: KCM:1000
  Default principal: ubuntu at EXAMPLE.COM
  
  Valid starting Expires Service principal
  03/08/18 13:09:12 03/08/18 23:09:12 krbtgt/EXAMPLE.COM at EXAMPLE.COM
-  renew until 03/09/18 13:09:10
+  renew until 03/09/18 13:09:10
  
  # install ldb-tools
  sudo apt install ldb-tools
  
  # perform a search on the secrets database to see the entry created by kcm
  $ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
  # record 1
  dn: cn=3615a3ca-b857-4ee6-ae70-3a82485276b3-1000,cn=ccache,cn=1000,cn=persistent,cn=kcm
  
  # record 2
  dn: cn=ccache,cn=1000,cn=persistent,cn=kcm
  
  # returned 2 records
  # 2 entries
  # 0 referrals
  
  # destroy the kerberos ticket and confirm it's gone from the secrets database
  ubuntu at bionic-sssd-http-parser:~$ kdestroy
  ubuntu at bionic-sssd-http-parser:~$ sudo ldbsearch -H /var/lib/sss/secrets/secrets.ldb cn
  # returned 0 records
  # 0 entries
  # 0 referrals

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to sssd in Ubuntu.
https://bugs.launchpad.net/bugs/1754365

Title:
  [FFe]: Enable sssd-secrets service

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1754365/+subscriptions

More information about the Ubuntu-server-bugs mailing list