missing includedir snippet in krb5.conf causes GSSAPI to fail

Thanks for taking the time to report this bug and trying to make Ubuntu better.

I'll be forwarding this issue to Sergio who has been taking care of sssd for a further assessment.

Can confirm this issue. So +1 upvote

Can confirm too. It was hard to find the solution, so I hope this will avoid people banging head on the table.

I discussed this with the team; ahasenack suggests that we should add that include line to src:kerberos-configs, which is the package that provides krb5.conf.

There are two components here:
a) sssd to ship /etc/krb5.conf.d/enable_sssd_conf_dir
This was done in 2.7.0-1, and is present in ubuntu mantic and later

b) krb5.conf to includedir /etc/krb5.conf.d
This should be done in src:kerberos-configs, and is not done yet anywhere

> Without this passwordless login using GSSAPI via SSH is not possible to a Ubuntu 22.04 machine.

This is not entirely true. We have tests that attempt this login and they pass just fine. There is some other detail that is missing. I'll read up in more detail on what the sssd_krb5_localauth_plugin.so plugin does. The upstream bug also had in one of the comments confirmation that a ~/.k5login file with the name of the principal would allow login to work, which tells me some sort of mapping between the username of the ssh command (which can have @DOMAIN components) and the local username is missing, and that plugin might be responsible for it.

Confirmed the issue on jammy, and the fix, by joining a machine to a windows AD domain, and attempting to login via ssh GSSAPIAuthentication as a domain user. It only works if I either put the principal name in ~/.k5login, or include the sssd localauth plugin via the include files as discussed in this bug.