Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
I have successfully managed to to get pam_sss working with
- login for specific appliction rstudio server (/etc/pam.d/rstudio) - containerized ubuntu - ldap/krb5 auth - against Microsoft Active Directory - without domain join realmd. (so all hand-configured. ouch)
the problem is with reuse of the ticket. i cant work out how it works..
I would like to configure pam_mount and ODBC to use the same kerberos ticket that was generated by the pam_sss modules
so
pam_sss creates a ticket with the follwoing naming which *cannot be used by the "mount" command*:
/tmp/krb5cc_uid_xxxx
however if i manually use kinit, it creates a ticket with the naming below, which *can be easily reuse from the "mount" command*:
/tmp/krb5cc_uid
the naming that pam_sss uses seems to be standard but again i just cant work out how that should be "discoverable" by any other services looking for a ticket, when it has the wrong naming..
some links..:
this seems to be where the pam_sss naming is defined - by a build flag --with-default-ccname-template
https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
i want to integrate it into pam_mount to mount a cifs drive, which (i think) is SMB so will be able to use the cifs.upcall library.
And the way cifs.upcall resolves tickets is somehwere here in get_cachename_from_process_env
https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
i also want to get MSSQL ODBC driver to use the ticket as well...
On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang calvin.chiang@gmail.com wrote:
Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
I have successfully managed to to get pam_sss working with
login for specific appliction rstudio server (/etc/pam.d/rstudio) containerized ubuntu ldap/krb5 auth against Microsoft Active Directory without domain join realmd. (so all hand-configured. ouch)
the problem is with reuse of the ticket. i cant work out how it works..
I would like to configure pam_mount and ODBC to use the same kerberos ticket that was generated by the pam_sss modules
so
pam_sss creates a ticket with the follwoing naming which cannot be used by the "mount" command:
/tmp/krb5cc_uid_xxxx
however if i manually use kinit, it creates a ticket with the naming below, which can be easily reuse from the "mount" command:
/tmp/krb5cc_uid
the naming that pam_sss uses seems to be standard but again i just cant work out how that should be "discoverable" by any other services looking for a ticket, when it has the wrong naming..
Hi,
if the only thing you need is to change a template, then please see `man sssd-krb5 : krb5_ccname_template` option.
(I'm sorry I'm not fluent in kerberos enough to comment on other parts of your email)
some links..:
this seems to be where the pam_sss naming is defined - by a build flag --with-default-ccname-template
https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
i want to integrate it into pam_mount to mount a cifs drive, which (i think) is SMB so will be able to use the cifs.upcall library.
And the way cifs.upcall resolves tickets is somehwere here in get_cachename_from_process_env
https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
i also want to get MSSQL ODBC driver to use the ticket as well...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wed, Mar 31, 2021 at 9:58 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang calvin.chiang@gmail.com wrote:
Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
I have successfully managed to to get pam_sss working with
login for specific appliction rstudio server (/etc/pam.d/rstudio) containerized ubuntu ldap/krb5 auth against Microsoft Active Directory without domain join realmd. (so all hand-configured. ouch)
the problem is with reuse of the ticket. i cant work out how it works..
I would like to configure pam_mount and ODBC to use the same kerberos ticket that was generated by the pam_sss modules
so
pam_sss creates a ticket with the follwoing naming which cannot be used by the "mount" command:
/tmp/krb5cc_uid_xxxx
however if i manually use kinit, it creates a ticket with the naming below, which can be easily reuse from the "mount" command:
/tmp/krb5cc_uid
the naming that pam_sss uses seems to be standard but again i just cant work out how that should be "discoverable" by any other services looking for a ticket, when it has the wrong naming..
Hi,
if the only thing you need is to change a template, then please see `man sssd-krb5 : krb5_ccname_template` option.
(I'm sorry I'm not fluent in kerberos enough to comment on other parts of your email)
and about discoverability - it exports standard `KRB5CCNAME` env variable
some links..:
this seems to be where the pam_sss naming is defined - by a build flag --with-default-ccname-template
https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
i want to integrate it into pam_mount to mount a cifs drive, which (i think) is SMB so will be able to use the cifs.upcall library.
And the way cifs.upcall resolves tickets is somehwere here in get_cachename_from_process_env
https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
i also want to get MSSQL ODBC driver to use the ticket as well...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
thanks Alexey! i ddint realize it coudl be configured in the config file thought it was just a build option. I'll give it a try and post back.
KRB5CCNAME doesnt seem to be configured anyway so i'll assume it'll default to /tmp/krb5cc_UID
On Wed, 31 Mar 2021 at 10:06, Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Mar 31, 2021 at 9:58 AM Alexey Tikhonov atikhono@redhat.com wrote:
On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang calvin.chiang@gmail.com
wrote:
Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
I have successfully managed to to get pam_sss working with
login for specific appliction rstudio server (/etc/pam.d/rstudio) containerized ubuntu ldap/krb5 auth against Microsoft Active Directory without domain join realmd. (so all hand-configured. ouch)
the problem is with reuse of the ticket. i cant work out how it works..
I would like to configure pam_mount and ODBC to use the same kerberos
ticket that was generated by the pam_sss modules
so
pam_sss creates a ticket with the follwoing naming which cannot be
used by the "mount" command:
/tmp/krb5cc_uid_xxxx
however if i manually use kinit, it creates a ticket with the naming
below, which can be easily reuse from the "mount" command:
/tmp/krb5cc_uid
the naming that pam_sss uses seems to be standard but again i just
cant work out how that should be "discoverable" by any other services looking for a ticket, when it has the wrong naming..
Hi,
if the only thing you need is to change a template, then please see `man sssd-krb5 : krb5_ccname_template` option.
(I'm sorry I'm not fluent in kerberos enough to comment on other parts of your email)
and about discoverability - it exports standard `KRB5CCNAME` env variable
some links..:
this seems to be where the pam_sss naming is defined - by a build flag
--with-default-ccname-template
https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
i want to integrate it into pam_mount to mount a cifs drive, which (i
think) is SMB so will be able to use the cifs.upcall library.
And the way cifs.upcall resolves tickets is somehwere here in
get_cachename_from_process_env
https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
i also want to get MSSQL ODBC driver to use the ticket as well...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org