6:26 a.m.
Hello,
i am really struggling to understand if what i am trying to do is actually something that
is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab,
spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of
existing tickets. So i can do kinit + curl --negotiate on a client and get pass the
authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and
then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file,
but when a client request though nginx is handled, i see something that sssd is trying to
lookup www-data(a)KWTEST.local out of any reason.
I would have expected that it uses the HOST requested by the client, like
HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not
sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active
client krb tokens)
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
6:43 a.m.
New subject: SSSD with Kerberos for SPENGO ( Nginx + pam + sss + sss_krb )
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that
is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab,
spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of
existing tickets. So i can do kinit + curl --negotiate on a client and get pass the
authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and
then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab
file, but when a client request though nginx is handled, i see something that sssd is
trying to lookup www-data(a)KWTEST.local out of any reason.
I would have expected that it uses the HOST requested by the client, like
HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not
sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active
client krb tokens)
No, what you are looking for is GSSAPI support and it looks like
https://github.com/stnoonan/spnego-http-auth-nginx-module might be a
suitable module.
HTH
bye,
Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
2:01 a.m.
New subject: SSSD with Kerberos for SPENGO ( Nginx + pam + sss + sss_krb )
Hello Sumit,
thank you! I was aware of that nginx module but was striving to get PAM + SSSD for a more
robust, maintained solution - so i did not yet test it.
TL;dr i tested it with the spengo module and it works without issues - so that one at
least.
Now my question, as far as i understad SSS supports GSSAPI in general, e.g. for SSH. That
said, when setting up nginx + pam + sssd, which one is "not supporting GSSAPI"?
Or is it more the special implementation of "GSSAPI over HTTP" => spengo
which nginx_pam does not support? I mean it would basically be part of the webserver to
deal with SPENGO - pam / sssd will not able to implement that layer. PAM should return
not-authorized, then nginx_pam should send WWW...negotiate .. if the client answeres with
any proper header pass this down to pam again (unpack first from base64 .. ).
So i suppose that is the very reason sssd cannot implement this at all - it was the wrong
way to go about it.
If i got it wrong, please correct me :)
Pitty i am not able to use sss for kerb now ;/
Best
Eugen
On 16. January 2019 at 13:43:45, Sumit Bose (sbose(a)redhat.com) wrote:
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that
is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab,
spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of
existing tickets. So i can do kinit + curl --negotiate on a client and get pass the
authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and
then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab
file, but when a client request though nginx is handled, i see something that sssd is
trying to lookup www-data(a)KWTEST.local out of any reason.
I would have expected that it uses the HOST requested by the client, like
HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not
sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active
client krb tokens)
No, what you are looking for is GSSAPI support and it looks like
https://github.com/stnoonan/spnego-http-auth-nginx-module might be a
suitable module.
HTH
bye,
Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
2:23 a.m.
New subject: SSSD with Kerberos for SPENGO ( Nginx + pam + sss + sss_krb )
On Thu, Jan 17, 2019 at 09:01:53AM +0100, Eugen Mayer wrote:
Hello Sumit,
thank you! I was aware of that nginx module but was striving to get PAM + SSSD for a more
robust, maintained solution - so i did not yet test it.
TL;dr i tested it with the spengo module and it works without issues - so that one at
least.
Now my question, as far as i understad SSS supports GSSAPI in general, e.g. for SSH. That
said, when setting up nginx + pam + sssd, which one is "not supporting GSSAPI"?
SSSD does not support GSSAPI at this point at all. With ssh it is sshd
which supports GSSAPI. Please note that GSSAPI offers more than "just"
authentication, it offers encrypted communication as well which is one
of the main reasons that it has to be supported by the service (sshd,
httpd) itself and cannot be delegated to e.g. PAM.
What might be confusing with ssh is that sshd might still use PAM for
authorization, i.e. checking if the authenticated user is allowed to
access the system. GSSAPI has no means to do authorization checks hence
a different mechanism, e.g. PAM, .htaccess files etc, is needed for
this.
HTH
bye,
Sumit
Or is it more the special implementation of "GSSAPI over
HTTP" => spengo which nginx_pam does not support? I mean it would basically be
part of the webserver to deal with SPENGO - pam / sssd will not able to implement that
layer. PAM should return not-authorized, then nginx_pam should send WWW...negotiate .. if
the client answeres with any proper header pass this down to pam again (unpack first from
base64 .. ).
So i suppose that is the very reason sssd cannot implement this at all - it was the wrong
way to go about it.
If i got it wrong, please correct me :)
Pitty i am not able to use sss for kerb now ;/
Best
Eugen
On 16. January 2019 at 13:43:45, Sumit Bose (sbose(a)redhat.com) wrote:
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
> Hello,
>
> i am really struggling to understand if what i am trying to do is actually something
that is supported by SSD in that terms.
>
> I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP ..
keytab, spn.
>
> This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation
of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the
authentication.
>
> Now i am trying to replace apache with nginx with this case. I want to use
nginx_pam, and then forward this to sssd using pam_sss.
>
> My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
>
> I see that the AD access works using GSSAPI authentication using the provided keytab
file, but when a client request though nginx is handled, i see something that sssd is
trying to lookup www-data(a)KWTEST.local out of any reason.
>
> I would have expected that it uses the HOST requested by the client, like
HTTP/mywebservice.lan(a)KWTEST.local - in mod_auth_kerb one can set the SPN to use, i am not
sure how this is intended in sssd and that is my actual question.
>
> - Can SSSD offer "negotiation" through pam ... nginx at all? (reusing
active client krb tokens)
No, what you are looking for is GSSAPI support and it looks like
https://github.com/stnoonan/spnego-http-auth-nginx-module might be a
suitable module.
HTH
bye,
Sumit
> - What SPN is used when pam calls SSSD?
>
> I hope i could explain this at least a little ;/
>
> Thank you
>
> Eugen
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1924
days inactive
1925
days old
sssd-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Eugen Mayer -
Sumit Bose