https://bugzilla.novell.com/show_bug.cgi?id=778513 https://bugzilla.novell.com/show_bug.cgi?id=778513#c0 Summary: SSSD vs NSS/PAM + LDAP/KRB configuration mess in YaST Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: joschibrauchle@gmx.de QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.81 Safari/537.1 Hello, I would like to report/complain about some problems when switching from NSS/LDAP to SSSD together with LDAP/KRB. We are using LDAP as id provider along with Kerberos as auth provider. Previously under OpenSUSE 11.4, Yast provided "Network Services" + "LDAP Client"/"Kerberos client" for this configuration. Now we are trying to switch our existing configuration to SSSD under OpenSUSE 12.2, but noticed the following problems: ==================================== Problem 1) ==================================== In order to use SSSD with Kerberos, one needs to activate "Network Services" > "LDAP Client" > "Advanced Configuration" > "Use Kerberos". But then there exists "Network Services" > "Kerberos Client", where one needs to activate "Do Not Use Kerberos"! This is extremely confusing (configuring Kerberos in the LDAP client module, while having a second, inactive Kerberos module)! ==================================== Problem 2) ==================================== When using SSSD with Kerberos, there is no way in YaST to configure the following options: - krb5_ccachedir (string) - krb5_ccname_template (string) - krb5_auth_timeout (integer) - krb5_validate (boolean) - krb5_keytab (string) - krb5_renewable_lifetime (string) - krb5_lifetime (string) - krb5_renew_interval (integer) See http://linux.die.net/man/5/sssd-krb5 for details. Most of these options were previously configurable for NSS/PAM under "Network Services" > "Kerberos Client" > "Advanced Configuration", so I think this is a real regression of the new Yast LDAP/SSSD module. ==================================== Problem 3) ==================================== Switching back from SSSD to NSS/LDAP is not possible in Yast. When activating "Use Kerberos" under "Network Services" > "Kerberos Client", a message box pops up, saying: ------- System Security Services Daemon (SSSD) is configured. It is in use for Kerberos authentication instead of pam_krb5. You can disable SSSD in yast2 ldap-client module. ------- Unfortunately, in "LDAP client", there is NO option to turn off SSSD! In the Help of the "LDAP client" module, it says: ------- Check Use System Security Services Daemon if you want the system to use SSSD instead of nss_ldap. ------- but this option is nowhere to be found (it used to exist in OS11.4), hence it cannot be unchecked! It looks like the whole LDAP/KRB configuration procedure for SSSD needs to be redesigned. Currently, it is lacking configuration options that used to exist for NSS/PAM and it is very confusing to use! Also, there is no way to revert back to NSS/PAM, as the required checkbox is missing. Also, the LDAP/KRB config files /etc/ldap.conf, /etc/openldap/ldap.conf and /etc/krb5.conf are still used by many other applications! Hence, I suggest to have keep the legacy "LDAP+KRB" modules for these old but still required config files, along with a newly designed and completely separate "SSSD client" module! Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.