On Аўт, 13 лют 2024, David L wrote:
I realized I have a couple more questions.
For 'Cloud' Kerberos reference I assume you mean what Steve Syfuhs
describes here: https://syfuhs.net/how-azure-ad-kerberos-works
Yes. I think I'm using a newer name. For a little bit they called is Cloud
Business Kerberos too.
The way how Kerberos support is built into Azure AD/Entra ID, is by
introducing a virtual realm (per-tenant) where an access to its KDCs is
given over MS-KKDCP (KDC proxy) protocol. This part is already supported
by MIT Kerberos and can be configured easily. We use it in production in
However, there is one part that is missing currently. In order to talk
to that KDC, a machine needs to be joined to Entra ID and be capable to
request and process primary resource token (PRT) associated with such
join. When PRT is requested, one can ask for a TGT too (two, actually)
OK, I'm confused. Can you please clarify what can be done right now and what
cannot be done right now?
In particular:
1. Right now, can SSSD auth to Entra if SSSD has been domain joined to
an on-prem that is sync'ing with Entra (or whatever other requirements
you need)?
Depends on whether this machine is part of RHEL IdM environment or not.
RHEL IdM can authenticate to Entra ID. This authentication process will
obtain a Kerberos ticket from RHEL IdM realm. This has nothing to do
with 'Cloud' Kerberos that Entra ID provides but authorization would be
done by Entra ID OAuth2 end-point.
Other situations: currently no.
1b. If no to 1, is this part of what David M is working on?
No exactly but the work on Entra ID join is required to have individual
machines joined to Entra ID.
2. Right now, can SSSD domain join to Entra?
2b. If no to 1, is this part of what David M is working on?
No and no.
There are independent bits and pieces of a bigger puzzle that need to be
worked on, they are done by different groups but altogether they
contribute to the same goal. Most of the specifications aren't
written yet or not documented publicly so regardless of the projects
being done, discovering all that information is crucial.
What is your interest in all this? Are you willing to help with
the development effort around OAuth2 authentication and identity
management?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
