On Mon, Jan 6, 2020 at 10:25 AM Lars Francke <lars.francke(a)gmail.com> wrote:
Hi,
I've got a question that seems pretty trivial to me so it feels like
I'm missing something obvious.
I know that there are different provider types: id, auth, chpass,
access (and maybe others)
But what I don't quite understand is what they actually do.
The documentation says:
id -> "The identification provider"
auth -> "The authentication provider"
access -> "The access control provider"
chpass -> "The provider which should handle change password
operations for the domain."
(The first three are not very helpful ;-) )
I understand chpass and I can make a guess about the others but I'm
not sure:
id: Just returns information about some object
With the caveat that I am not an sssd developer and the following
information is from my own understanding only:
The id provider is the backend that sssd uses to provide identity
information.
The most common instance where identity information is required is the
(getpwnam, getpwuid, getgrnam, getgrgid) glibc library functions.
When /etc/nsswitch.conf contains:
passwd: sss files systemd
group: sss files systemd
…then these glibc library functions will first call sssd to attempt to
look up users/uids/groups/gids. The mechanism that sssd uses to
perform the resolution is determined by the “id_provider” setting and
the various options that the selected id provider mechanism supports.
As another example, if you are using NFSv4 with RPCSEC_GSS
authentication, and /etc/idmapd.conf contains:
[Translation]
Method = sss
…then rpc.idmapd(8) will call sssd in order to translate between NFSv4
symbolic names (what the NFSv4 protocol uses on the wire when
RPCSEC_GSS is in use) and uids/gids.
auth: Validates credentials for an object
The auth provider is the backend that sssd uses to provide PAM “auth”
module services for applications that are configured to call
pam_sss.so in the PAM auth stack. E.g.:
auth required pam_sss.so
There may be other instances where sssd is called upon to provide
authentication services, but I’m not coming up with any off the top of
my head. (The PAM auth stack is the most common case.)
access: Checks authorization?
The access provider is the backend that sssd uses to provide PAM
“account” module services for applications that are configured to call
pam_sss.so in the PAM account stack. E.g.:
account required pam_sss.so
But I'm very vague on the details. Is there any more information
I
can refer to?
The sssd man pages, most specifically sssd.conf(5), are good places to
start.
What are the differences/can anyone point me at an API description
or some other documentation?
Try:
https://docs.pagure.org/SSSD.sssd/developers/internals.html
…and the pages that are in the navigation column on the left of the
above page.
One very specific question for example: What does the krb5 auth
mean? Does it retrieve a ticket and try to decrypt that?
Setting “auth_provider = krb5” means that sssd will attempt Kerberos
authentication if sssd is called upon to authenticate a user, such as
when pam_sss.so is called in the PAM auth stack for an application.