I realized I have a couple more questions. > For 'Cloud' Kerberos reference I assume you mean what Steve Syfuhs > describes here: https://syfuhs.net/how-azure-ad-kerberos-works
Yes. I think I'm using a newer name. For a little bit they called is Cloud Business Kerberos too. > The way how Kerberos support is built into Azure AD/Entra ID, is by > introducing a virtual realm (per-tenant) where an access to its KDCs is > given over MS-KKDCP (KDC proxy) protocol. This part is already supported > by MIT Kerberos and can be configured easily. We use it in production in > However, there is one part that is missing currently. In order to talk > to that KDC, a machine needs to be joined to Entra ID and be capable to > request and process primary resource token (PRT) associated with such > join. When PRT is requested, one can ask for a TGT too (two, actually) OK, I'm confused. Can you please clarify what can be done right now and what cannot be done right now? In particular: 1. Right now, can SSSD auth to Entra if SSSD has been domain joined to an on-prem that is sync'ing with Entra (or whatever other requirements you need)? 1b. If no to 1, is this part of what David M is working on? 2. Right now, can SSSD domain join to Entra? 2b. If no to 1, is this part of what David M is working on? -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
