Hello,
i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any reason.
I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens) - What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any reason.
I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens)
No, what you are looking for is GSSAPI support and it looks like https://github.com/stnoonan/spnego-http-auth-nginx-module might be a suitable module.
HTH
bye, Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
thank you! I was aware of that nginx module but was striving to get PAM + SSSD for a more robust, maintained solution - so i did not yet test it.
TL;dr i tested it with the spengo module and it works without issues - so that one at least.
Now my question, as far as i understad SSS supports GSSAPI in general, e.g. for SSH. That said, when setting up nginx + pam + sssd, which one is "not supporting GSSAPI"? Or is it more the special implementation of "GSSAPI over HTTP" => spengo which nginx_pam does not support? I mean it would basically be part of the webserver to deal with SPENGO - pam / sssd will not able to implement that layer. PAM should return not-authorized, then nginx_pam should send WWW...negotiate .. if the client answeres with any proper header pass this down to pam again (unpack first from base64 .. ).
So i suppose that is the very reason sssd cannot implement this at all - it was the wrong way to go about it.
If i got it wrong, please correct me :)
Pitty i am not able to use sss for kerb now ;/
Best
Eugen On 16. January 2019 at 13:43:45, Sumit Bose (sbose@redhat.com) wrote:
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any reason.
I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens)
No, what you are looking for is GSSAPI support and it looks like https://github.com/stnoonan/spnego-http-auth-nginx-module might be a suitable module.
HTH
bye, Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Jan 17, 2019 at 09:01:53AM +0100, Eugen Mayer wrote:
Hello Sumit,
thank you! I was aware of that nginx module but was striving to get PAM + SSSD for a more robust, maintained solution - so i did not yet test it.
TL;dr i tested it with the spengo module and it works without issues - so that one at least.
Now my question, as far as i understad SSS supports GSSAPI in general, e.g. for SSH. That said, when setting up nginx + pam + sssd, which one is "not supporting GSSAPI"?
SSSD does not support GSSAPI at this point at all. With ssh it is sshd which supports GSSAPI. Please note that GSSAPI offers more than "just" authentication, it offers encrypted communication as well which is one of the main reasons that it has to be supported by the service (sshd, httpd) itself and cannot be delegated to e.g. PAM.
What might be confusing with ssh is that sshd might still use PAM for authorization, i.e. checking if the authenticated user is allowed to access the system. GSSAPI has no means to do authorization checks hence a different mechanism, e.g. PAM, .htaccess files etc, is needed for this.
HTH
bye, Sumit
Or is it more the special implementation of "GSSAPI over HTTP" => spengo which nginx_pam does not support? I mean it would basically be part of the webserver to deal with SPENGO - pam / sssd will not able to implement that layer. PAM should return not-authorized, then nginx_pam should send WWW...negotiate .. if the client answeres with any proper header pass this down to pam again (unpack first from base64 .. ).
So i suppose that is the very reason sssd cannot implement this at all - it was the wrong way to go about it.
If i got it wrong, please correct me :)
Pitty i am not able to use sss for kerb now ;/
Best
Eugen On 16. January 2019 at 13:43:45, Sumit Bose (sbose@redhat.com) wrote:
On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote:
Hello,
i am really struggling to understand if what i am trying to do is actually something that is supported by SSD in that terms.
I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP .. keytab, spn.
This setup already works for apache+mod_kerb_auth for both cases, auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on a client and get pass the authentication.
Now i am trying to replace apache with nginx with this case. I want to use nginx_pam, and then forward this to sssd using pam_sss.
My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL
I see that the AD access works using GSSAPI authentication using the provided keytab file, but when a client request though nginx is handled, i see something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any reason.
I would have expected that it uses the HOST requested by the client, like HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to use, i am not sure how this is intended in sssd and that is my actual question.
- Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active client krb tokens)
No, what you are looking for is GSSAPI support and it looks like https://github.com/stnoonan/spnego-http-auth-nginx-module might be a suitable module.
HTH
bye, Sumit
- What SPN is used when pam calls SSSD?
I hope i could explain this at least a little ;/
Thank you
Eugen
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Eugen Mayer -
Sumit Bose