Hello Sumit,

thank you! I was aware of that nginx module but was striving to get PAM + SSSD for a more robust, maintained solution - so i did not yet test it.

TL;dr i tested it with the spengo module and it works without issues - so that one at least.

Now my question, as far as i understad SSS supports GSSAPI in general, e.g. for SSH. That said, when setting up nginx + pam + sssd, which one is "not supporting GSSAPI"?
Or is it more the special implementation of "GSSAPI over HTTP" => spengo which nginx_pam does not support? I mean it would basically be part of the webserver to deal with SPENGO - pam / sssd will not able to implement that layer. PAM should return not-authorized, then nginx_pam should send WWW...negotiate .. if the client answeres with any proper header pass this down to pam again (unpack first from base64 .. ).

So i suppose that is the very reason sssd cannot implement this at all - it was the wrong way to go about it.

If i got it wrong, please correct me :)

Pitty i am not able to use sss for kerb now ;/

Best

Eugen  

On 16. January 2019 at 13:43:45, Sumit Bose (sbose@redhat.com) wrote:

On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
> Hello,
>
> i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
>
> I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
>
> This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
>
> Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
>
> My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
>
> I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any reason.
>
> I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
>
> - Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens)

No, what you are looking for is GSSAPI support and it looks like
https://github.com/stnoonan/spnego-http-auth-nginx-module might be a
suitable module.

HTH

bye,
Sumit

> - What SPN is used when pam calls SSSD?
>
> I hope i could explain this at least a little ;/
>
> Thank you
>
> Eugen

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org