missing includedir snippet in krb5.conf causes GSSAPI to fail

Thanks for taking the time to report this bug and trying to make Ubuntu better.

I'll be forwarding this issue to Sergio who has been taking care of sssd for a further assessment.

Can confirm this issue. So +1 upvote

Can confirm too. It was hard to find the solution, so I hope this will avoid people banging head on the table.

I discussed this with the team; ahasenack suggests that we should add that include line to src:kerberos-configs, which is the package that provides krb5.conf.

There are two components here:
a) sssd to ship /etc/krb5.conf.d/enable_sssd_conf_dir
This was done in 2.7.0-1, and is present in ubuntu mantic and later

b) krb5.conf to includedir /etc/krb5.conf.d
This should be done in src:kerberos-configs, and is not done yet anywhere

> Without this passwordless login using GSSAPI via SSH is not possible to a Ubuntu 22.04 machine.

This is not entirely true. We have tests that attempt this login and they pass just fine. There is some other detail that is missing. I'll read up in more detail on what the sssd_krb5_localauth_plugin.so plugin does. The upstream bug also had in one of the comments confirmation that a ~/.k5login file with the name of the principal would allow login to work, which tells me some sort of mapping between the username of the ssh command (which can have @DOMAIN components) and the local username is missing, and that plugin might be responsible for it.

Confirmed the issue on jammy, and the fix, by joining a machine to a windows AD domain, and attempting to login via ssh GSSAPIAuthentication as a domain user. It only works if I either put the principal name in ~/.k5login, or include the sssd localauth plugin via the include files as discussed in this bug.

The krb5.conf configuration file is produced by src:kerberos-configs and shared between heimdal kerberos and MIT kerberos. Of those, only MIT kerberos has includedir support in a released version. heimdal has it in their git tree[1], but not yet in a release.

Therefore, in order to fully fix this bug, we first need a heimdal package with support for includedir, either by backporting that patch, or waiting for a new upstream heimdal release with that change in it.

That commit is from 2017, so 7 years ago, and hasn't landed in a release yet. The last heimdal upstream release is 7.8, from November 2022. While the git repository is quite active, I can't tell when a new release with this fix will be made.

I added a comment to the debian bug[2] about the availability of the patch[1]. It applies, and since then I have built it in a ppa[3] and quickly tested the feature. It seems to work. It would be best if debian agreed on applying it, then we could all be on the same page.

1. https://github.com/heimdal/heimdal/commit/fe43be85587f834266623adb0ecf2793d212a7ca
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970
3. https://launchpad.net/~ahasenack/+archive/ubuntu/heimdal-include-support