TL;DR
Even though Kerberos in CentOS/RHEL 5 (1.6.x) supports KEYRING credential cache, SSSD requires a function from Kerberos 1.10.x to use it.Why SSSD?
I had been meaning to refactor our Puppet authconfig management for a while. (Authconfig is the recommended utility to configure how user information lookups and authentications are performed on RedHat-based Linux distributions.) Until recently we had been using a mix of nss_ldap, nss-pam-ldapd (nslcd) and sssd packages on our (RedHat Enterprise Linux clone) Oracle Enterprise Linux 5-7 hosts. We're lucky in that we generally only have to support RHEL-based Linux, but simultaneously supporting 3 versions can be tricky. My goal was to standardize our authconfig settings as much as possible while still supporting:
- nested group membership
- Kerberos authentication and password changes
Version Issues Discovered
RHEL 5 ships with SSSD 1.5.1. This version technically supports nested groups, but querying recursive group membership for a user forces SSSD to also get all members of those groups, which was frustrating sudo users who would have to wait about 5 seconds for the system to check if they were in a sudo group. A coworker discovered this issue was addressed in the 1.9.x version of SSSD with the addition of the "ignore_group_members" configuration parameter.
Another issue was support for Kerberos KEYRING credential caches in SSSD. I discovered the hard way that pam_krb5 will block logins if your disk is full or it cannot create the default Kerberos credential cache (/tmp/krb5cc_%{uidNumber}). I wanted to avoid that with SSSD, and using the Linux kernel's keyring functionality seemed like a good way to avoid the full disk issue. Unfortunately, while the the version of Kerberos that ships with RHEL 5 (1.6.1) supports KEYRING credential caches (even if the default credential cache is not configurable in /etc/krb5.conf), SSSD support for KEYRING was not added until SSSD 1.10.x. That last bit was the hard part - so much of SSSD's Kerberos implementation seems to simply rely on the system Kerberos libraries, but it turns out that SSSD's KEYRING implementation requires krb5_cc_get_full_name(), which was first introduced in Kerberos 1.10.x, which is only available in RHEL 6 and newer.
Version Issues Resolved-ish
I discovered a RHEL 5 backport of SSSD 1.9.x that ended up working out well for us. It gives us "ignore_group_members" which makes sudo fast. It doesn't give us KEYRING on RHEL 5, but given the prospect of trying to compile and statically link newer Kerberos libraries into a newer, hand-compiled version of SSSD, I chose to accept that older servers might not allow remote users' authentications if the disk was full.
