[SSSD-users] SSSD with Kerberos for SPENGO ( Nginx + pam + sss + sss_krb )

Hello, i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms. I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn. This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication. Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss. My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data(a)KWTEST.local out of any reason. I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question. - Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens) - What SPN is used when pam calls SSSD? I hope i could explain this at least a little ;/ Thank you Eugen