On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that
is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab,
spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of
existing tickets. So i can do kinit + curl --negotiate on a client and get pass the
authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and
then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab
file, but when a client request though nginx is handled, i see something that sssd is
trying to lookup www-data(a)KWTEST.local out of any reason.
I would have expected that it uses the HOST requested by the client, like
HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not
sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active
client krb tokens)
No, what you are looking for is GSSAPI support and it looks like
https://github.com/stnoonan/spnego-http-auth-nginx-module might be a
suitable module.
HTH
bye,
Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...