Ex-windows admin wrapping my head around PAM/SSSD has been quite tough! I have successfully managed to to get pam_sss working with
- login for specific appliction rstudio server (/etc/pam.d/rstudio) - containerized ubuntu - ldap/krb5 auth - against Microsoft Active Directory - without domain join realmd. (so all hand-configured. ouch) the problem is with reuse of the ticket. i cant work out how it works.. I would like to configure pam_mount and ODBC to use the same kerberos ticket that was generated by the pam_sss modules so pam_sss creates a ticket with the follwoing naming which *cannot be used by the "mount" command*: /tmp/krb5cc_uid_xxxx however if i manually use kinit, it creates a ticket with the naming below, which *can be easily reuse from the "mount" command*: /tmp/krb5cc_uid the naming that pam_sss uses seems to be standard but again i just cant work out how that should be "discoverable" by any other services looking for a ticket, when it has the wrong naming.. some links..: this seems to be where the pam_sss naming is defined - by a build flag --with-default-ccname-template https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337 i want to integrate it into pam_mount to mount a cifs drive, which (i think) is SMB so will be able to use the cifs.upcall library. And the way cifs.upcall resolves tickets is somehwere here in get_cachename_from_process_env https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260 i also want to get MSSQL ODBC driver to use the ticket as well...
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
