Thank you, after creating the keytab with `ipa-getkeytab -p
3CXPBX/3cx04.domain.com -k
3cxpbx.keytab` and moving the keytab to the machine (the Debian host didn’t have
ipa-getkeytab) to the right location.
The ipa ping now works:
phonesystem@3cx04:/home/user$ GSS_USE_PROXY=yes ipa ping
--------------------------------------------
IPA server version 4.11.1. API version 2.253
--------------------------------------------
Thank you for your advice!
--
Djerk Geurts
On 21 May 2024, at 15:17, Djerk Geurts <djerk(a)maizymoo.com>
wrote:
Great in depth detail, I'm learning loads from you.
So, an I right in deducting that would mean the keytab is manually populated, not
generated by gssproxy? Sorry, feeling like a real noob here ...
Thanks,
Djerk Geurts
On 21 May 2024, at 13:25, Christian Heimes <cheimes(a)redhat.com
<mailto:cheimes@redhat.com>> wrote:
>
> On 21/05/2024 13.11, Djerk Geurts wrote:
>> Thank you, that’s really helpful, especially how to test.
>>
>> For the 3CX service I do indeed need to add the GSS_USE_PROXY=yes, but
>> as a side note, I’ll need to work out which service needs it as there
>> are many daemons that make up 3CX. Anyway, this is on my todo list.
>>
>> What I need to do first is create a Service Principal for this service
>> to use. The GSS proxy config references the local uid, but how does it
>> match the SPN? I guess I’m not clear on the service name as the host
>> and REALM parts are straight forward. Is the username used for this?
>> If so the SPN should be phonesystem/FQDN@REALM, as the uid is a
>> number, so can I assume that the local machine uses the local account
>> name belonging to the uid for this?
>
> GSS-Proxy uses the power of Unix sockets. "GSS_USE_PROXY=yes" enables
> the interposer library in the client. When the interposer intercepts
> some GSS-API calls and forwards them to GSS-Proxy's Unix domain socket.
> The proxy daemon uses getsockopt() with SO_PEERCRED to get the euid and
> egid of the client from the Linux Kernel. In your case, it maps euid 998
> to "service/3CXPBX" and "3cxpbx.keytab". In client keytab mode,
> GSS-Proxy then uses the SPN of the first keytab slot. The keytab
> contains the SPN:
>
> # ktutil
> ktutil: rkt /var/lib/ipa/gssproxy/http.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
>
> 1 1 HTTP/server.ipa-hcc.test(a)IPA-HCC.TEST
> 2 1 HTTP/server.ipa-hcc.test(a)IPA-HCC.TEST
> 3 1 HTTP/server.ipa-hcc.test(a)IPA-HCC.TEST
> 4 1 HTTP/server.ipa-hcc.test(a)IPA-HCC.TEST
>