On Пан, 12 лют 2024, David L wrote:
Does SSSD work with Microsoft's newish Cloud Kerberos? If not, are there any plans to?
It is not really SSSD task in itself, so yes and no and yes. :) For 'Cloud' Kerberos reference I assume you mean what Steve Syfuhs describes here: https://syfuhs.net/how-azure-ad-kerberos-works The way how Kerberos support is built into Azure AD/Entra ID, is by introducing a virtual realm (per-tenant) where an access to its KDCs is given over MS-KKDCP (KDC proxy) protocol. This part is already supported by MIT Kerberos and can be configured easily. We use it in production in FreeIPA for years, all Fedora contributors use it to obtain their Kerberos tickets when managing their RPM package builds. However, there is one part that is missing currently. In order to talk to that KDC, a machine needs to be joined to Entra ID and be capable to request and process primary resource token (PRT) associated with such join. When PRT is requested, one can ask for a TGT too (two, actually) and they will be returned on behalf of the user. This part is not implemented. David Mulder (SUSE and Samba Team) is working on an implementation of that for Samba join to Entra ID, a draft merge request is available at https://gitlab.com/samba-team/samba/-/merge_requests/3394. This is far from being a usable code yet and retrieving a special key for Kerberos operations is missing there. We are working as a community on a more generic integration with OAuth2-based environments. The "Cloud" Kebreros thing you see in Entra ID is part of it, so 'yes' for plans but no specific timeline is there at the moment. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
