Great in depth detail, I'm learning loads from you. So, an I right in deducting that would mean the keytab is manually populated, not generated by gssproxy? Sorry, feeling like a real noob here ...
Thanks, Djerk Geurts On 21 May 2024, 13:25, at 13:25, Christian Heimes <chei...@redhat.com> wrote: >On 21/05/2024 13.11, Djerk Geurts wrote: >> Thank you, that’s really helpful, especially how to test. >> >> For the 3CX service I do indeed need to add the GSS_USE_PROXY=yes, >but >> as a side note, I’ll need to work out which service needs it as there > >> are many daemons that make up 3CX. Anyway, this is on my todo list. >> >> What I need to do first is create a Service Principal for this >service >> to use. The GSS proxy config references the local uid, but how does >it >> match the SPN? I guess I’m not clear on the service name as the host >> and REALM parts are straight forward. Is the username used for this? >> If so the SPN should be phonesystem/FQDN@REALM, as the uid is a >> number, so can I assume that the local machine uses the local account > >> name belonging to the uid for this? >> >GSS-Proxy uses the power of Unix sockets. "GSS_USE_PROXY=yes" enables >the interposer library in the client. When the interposer intercepts >some GSS-API calls and forwards them to GSS-Proxy's Unix domain socket. > >The proxy daemon uses getsockopt() with SO_PEERCRED to get the euid and > >egid of the client from the Linux Kernel. In your case, it maps euid >998 >to "service/3CXPBX" and "3cxpbx.keytab". In client keytab mode, >GSS-Proxy then uses the SPN of the first keytab slot. The keytab >contains the SPN: > ># ktutil >ktutil: rkt /var/lib/ipa/gssproxy/http.keytab >ktutil: l >slot KVNO Principal >---- ---- >--------------------------------------------------------------------- > 1 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test > 2 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test > 3 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test > 4 1 HTTP/server.ipa-hcc.t...@ipa-hcc.test > > >-- >Christian Heimes >Principal Software Engineer, Identity Management and Platform Security > >Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, >Commercial register: Amtsgericht Muenchen, HRB 153243, >Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael >O'Neill
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue