On Thu, Jan 17, 2019 at 09:01:53AM +0100, Eugen Mayer wrote: > Hello Sumit, > > thank you! I was aware of that nginx module but was striving to get PAM + > SSSD for a more robust, maintained solution - so i did not yet test it. > > TL;dr i tested it with the spengo module and it works without issues - so > that one at least. > > Now my question, as far as i understad SSS supports GSSAPI in general, e.g. > for SSH. That said, when setting up nginx + pam + sssd, which one is "not > supporting GSSAPI"?
SSSD does not support GSSAPI at this point at all. With ssh it is sshd which supports GSSAPI. Please note that GSSAPI offers more than "just" authentication, it offers encrypted communication as well which is one of the main reasons that it has to be supported by the service (sshd, httpd) itself and cannot be delegated to e.g. PAM. What might be confusing with ssh is that sshd might still use PAM for authorization, i.e. checking if the authenticated user is allowed to access the system. GSSAPI has no means to do authorization checks hence a different mechanism, e.g. PAM, .htaccess files etc, is needed for this. HTH bye, Sumit > Or is it more the special implementation of "GSSAPI over HTTP" => spengo > which nginx_pam does not support? I mean it would basically be part of the > webserver to deal with SPENGO - pam / sssd will not able to implement that > layer. PAM should return not-authorized, then nginx_pam should send > WWW...negotiate .. if the client answeres with any proper header pass this > down to pam again (unpack first from base64 .. ). > > So i suppose that is the very reason sssd cannot implement this at all - it > was the wrong way to go about it. > > If i got it wrong, please correct me :) > > Pitty i am not able to use sss for kerb now ;/ > > Best > > Eugen > On 16. January 2019 at 13:43:45, Sumit Bose ([email protected]) wrote: > > On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote: > > Hello, > > > > i am really struggling to understand if what i am trying to do is actually > > something that is supported by SSD in that terms. > > > > I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, > > NTP .. keytab, spn. > > > > This setup already works for apache+mod_kerb_auth for both cases, > > auto-negotiation of existing tickets. So i can do kinit + curl --negotiate > > on a client and get pass the authentication. > > > > Now i am trying to replace apache with nginx with this case. I want to use > > nginx_pam, and then forward this to sssd using pam_sss. > > > > My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL > > > > I see that the AD access works using GSSAPI authentication using the > > provided keytab file, but when a client request though nginx is handled, i > > see something that sssd is trying to lookup [email protected] out of > > any reason. > > > > I would have expected that it uses the HOST requested by the client, like > > HTTP/[email protected] - in mod_auth_kerb one can set the SPN > > to use, i am not sure how this is intended in sssd and that is my actual > > question. > > > > - Can SSSD offer "negotiation" through pam ... nginx at all? (reusing > > active client krb tokens) > > No, what you are looking for is GSSAPI support and it looks like > https://github.com/stnoonan/spnego-http-auth-nginx-module might be a > suitable module. > > HTH > > bye, > Sumit > > > - What SPN is used when pam calls SSSD? > > > > I hope i could explain this at least a little ;/ > > > > Thank you > > > > Eugen > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
