from:"Calvin Chiang"

[SSSD-users] Re: Help with pam_sss_gss.so

2021-04-03 Thread Calvin Chiang

sorry wrong thread!

On Sat, 3 Apr 2021 at 10:52, Calvin Chiang  wrote:

> Hi Sam
>
> Thanks for the input here! i'll be testing this again on Tuesday.
> I "think" GSSAPI means the machine has to be domain joined. which i wanted
> to avoid as it was a container that would be disappearing pretty often.
> But these logs are looking very handy in any case thanks!
>
> Cheers
>
> Calvin
>
> On Thu, 1 Apr 2021 at 14:57, Sam Morris  wrote:
>
>> Whoops, I forgot to include the sudo output!
>>
>> pam_sss_gss: Initializing GSSAPI authentication with SSSD
>> pam_sss_gss: Switching euid from 0 to 123456789
>> pam_sss_gss: Trying to establish security context
>> pam_sss_gss: SSSD User name: sam.mor...@example.net
>> pam_sss_gss: User domain: example.net
>> pam_sss_gss: User principal: sam.mor...@example.net
>> pam_sss_gss: Target name: h...@myself.ipa.example.net
>> pam_sss_gss: Using ccache: FILE:/run/user/123456789/krb5cc
>> pam_sss_gss: Acquiring credentials for principal [sam.mor...@example.net]
>> pam_sss_gss: Communication error [3, 32]: Error in service module; Broken
>> pipe
>> pam_sss_gss: Switching euid from 123456789 to 0
>> pam_sss_gss: System error [32]: Broken pipe
>> [sudo] password for sam.mor...@example.net: ^C
>>
>> If I run 'klist' at this point, I can see that I've picked up tickets for
>> krb5tgt/ipa.example@example.net and host/
>> myself.ipa.example@ipa.example.net; so I think the PAM module is
>> working, but sssd_pam doesn't like what it sends and closes the connection
>> down.
>>
>> --
>> Sam Morris <https://robots.org.uk/>
>> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: Help with pam_sss_gss.so

2021-04-03 Thread Calvin Chiang

Hi Sam

Thanks for the input here! i'll be testing this again on Tuesday.
I "think" GSSAPI means the machine has to be domain joined. which i wanted
to avoid as it was a container that would be disappearing pretty often.
But these logs are looking very handy in any case thanks!

Cheers

Calvin

On Thu, 1 Apr 2021 at 14:57, Sam Morris  wrote:

> Whoops, I forgot to include the sudo output!
>
> pam_sss_gss: Initializing GSSAPI authentication with SSSD
> pam_sss_gss: Switching euid from 0 to 123456789
> pam_sss_gss: Trying to establish security context
> pam_sss_gss: SSSD User name: sam.mor...@example.net
> pam_sss_gss: User domain: example.net
> pam_sss_gss: User principal: sam.mor...@example.net
> pam_sss_gss: Target name: h...@myself.ipa.example.net
> pam_sss_gss: Using ccache: FILE:/run/user/123456789/krb5cc
> pam_sss_gss: Acquiring credentials for principal [sam.mor...@example.net]
> pam_sss_gss: Communication error [3, 32]: Error in service module; Broken
> pipe
> pam_sss_gss: Switching euid from 123456789 to 0
> pam_sss_gss: System error [32]: Broken pipe
> [sudo] password for sam.mor...@example.net: ^C
>
> If I run 'klist' at this point, I can see that I've picked up tickets for
> krb5tgt/ipa.example@example.net and host/
> myself.ipa.example@ipa.example.net; so I think the PAM module is
> working, but sssd_pam doesn't like what it sends and closes the connection
> down.
>
> --
> Sam Morris 
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: struggling with reuse of pam_sss kerberos ticket

2021-04-01 Thread Calvin Chiang

thanks Alexey! i ddint realize it coudl be configured in the config file
thought it was just a build option.
I'll give it a try and post back.

KRB5CCNAME doesnt seem to be configured anyway so i'll assume it'll default
to /tmp/krb5cc_UID

On Wed, 31 Mar 2021 at 10:06, Alexey Tikhonov  wrote:

> On Wed, Mar 31, 2021 at 9:58 AM Alexey Tikhonov 
> wrote:
> >
> > On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang 
> wrote:
> > >
> > > Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
> > >
> > > I have successfully managed to to get pam_sss working with
> > >
> > > login for specific appliction rstudio server (/etc/pam.d/rstudio)
> > > containerized ubuntu
> > > ldap/krb5 auth
> > > against Microsoft Active Directory
> > > without domain join realmd. (so all hand-configured. ouch)
> > >
> > > the problem is with reuse of the ticket. i cant work out how it works..
> > >
> > > I would like to configure pam_mount and ODBC to use the same kerberos
> ticket that was generated by the pam_sss modules
> > >
> > > so
> > >
> > > pam_sss creates a ticket with the follwoing naming which cannot be
> used by the "mount" command:
> > >
> > > /tmp/krb5cc_uid_
> > >
> > > however if i manually use kinit, it creates a ticket with the naming
> below, which can be easily reuse from the "mount" command:
> > >
> > > /tmp/krb5cc_uid
> > >
> > > the naming that pam_sss uses seems to be standard but again i just
> cant work out how that should be "discoverable" by any other services
> looking for a ticket, when it has the wrong naming..
> >
> > Hi,
> >
> > if the only thing you need is to change a template, then please see
> > `man sssd-krb5 : krb5_ccname_template` option.
> >
> > (I'm sorry I'm not fluent in kerberos enough to comment on other parts
> > of your email)
>
> and about discoverability - it exports standard `KRB5CCNAME` env variable
>
>
> >
> >
> >
> > >
> > > some links..:
> > >
> > > this seems to be where the pam_sss naming is defined - by a build flag
> --with-default-ccname-template
> > >
> > > https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
> > >
> > > i want to integrate it into pam_mount to mount a cifs drive, which (i
> think) is SMB so will be able to use the cifs.upcall library.
> > >
> > > And the way cifs.upcall resolves tickets is somehwere here in
> get_cachename_from_process_env
> > >
> > > https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
> > >
> > > i also want to get MSSQL ODBC driver to use the ticket as well...
> > >
> > > ___
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] struggling with reuse of pam_sss kerberos ticket

2021-03-31 Thread Calvin Chiang

Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!

I have successfully managed to to get pam_sss working with

   - login for specific appliction rstudio server (/etc/pam.d/rstudio)
   - containerized ubuntu
   - ldap/krb5 auth
   - against Microsoft Active Directory
   - without domain join realmd. (so all hand-configured. ouch)

the problem is with reuse of the ticket. i cant work out how it works..

I would like to configure pam_mount and ODBC to use the same kerberos
ticket that was generated by the pam_sss modules

so

pam_sss creates a ticket with the follwoing naming which *cannot be used by
the "mount" command*:

/tmp/krb5cc_uid_

however if i manually use kinit, it creates a ticket with the naming below,
which *can be easily reuse from the "mount" command*:

/tmp/krb5cc_uid

the naming that pam_sss uses seems to be standard but again i just cant
work out how that should be "discoverable" by any other services looking
for a ticket, when it has the wrong naming..

some links..:

this seems to be where the pam_sss naming is defined - by a build flag
--with-default-ccname-template

https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337

i want to integrate it into pam_mount to mount a cifs drive, which (i
think) is SMB so will be able to use the cifs.upcall library.

And the way cifs.upcall resolves tickets is somehwere here in
get_cachename_from_process_env

https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260

i also want to get MSSQL ODBC driver to use the ticket as well...
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] Re: Help with pam_sss_gss.so

[SSSD-users] Re: Help with pam_sss_gss.so

[SSSD-users] Re: struggling with reuse of pam_sss kerberos ticket

[SSSD-users] struggling with reuse of pam_sss kerberos ticket

4 matches

Site Navigation

Mail list logo

Footer information