On 21/05/2024 13.11, Djerk Geurts wrote:
Thank you, that’s really helpful, especially how to test.
For the 3CX service I do indeed need to add the GSS_USE_PROXY=yes, but
as a side note, I’ll need to work out which service needs it as there
are many daemons that make up 3CX. Anyway, this is on my todo list.
What I need to do first is create a Service Principal for this service
to use. The GSS proxy config references the local uid, but how does it
match the SPN? I guess I’m not clear on the service name as the host
and REALM parts are straight forward. Is the username used for this?
If so the SPN should be phonesystem/FQDN@REALM, as the uid is a
number, so can I assume that the local machine uses the local account
name belonging to the uid for this?
GSS-Proxy uses the power of Unix sockets. "GSS_USE_PROXY=yes" enables
the interposer library in the client. When the interposer intercepts
some GSS-API calls and forwards them to GSS-Proxy's Unix domain socket.
The proxy daemon uses getsockopt() with SO_PEERCRED to get the euid and
egid of the client from the Linux Kernel. In your case, it maps euid 998
to "service/3CXPBX" and "3cxpbx.keytab". In client keytab mode,
GSS-Proxy then uses the SPN of the first keytab slot. The keytab
contains the SPN:
# ktutil
ktutil: rkt /var/lib/ipa/gssproxy/http.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test
2 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test
3 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test
4 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
