On Wed, Jan 16, 2019 at 01:26:51PM +0100, Eugen Mayer wrote: > Hello, > > i am really struggling to understand if what i am trying to do is actually > something that is supported by SSD in that terms. > > I have a lab setup with a Windows Server 2012 with a konfigured KDC, DNS, NTP > .. keytab, spn. > > This setup already works for apache+mod_kerb_auth for both cases, > auto-negotiation of existing tickets. So i can do kinit + curl --negotiate on > a client and get pass the authentication. > > Now i am trying to replace apache with nginx with this case. I want to use > nginx_pam, and then forward this to sssd using pam_sss. > > My id_provider is ad, auth_provider is krb5, realm is KWTEST.LOCAL > > I see that the AD access works using GSSAPI authentication using the provided > keytab file, but when a client request though nginx is handled, i see > something that sssd is trying to lookup www-data@KWTEST.LOCAL out of any > reason. > > I would have expected that it uses the HOST requested by the client, like > HTTP/mywebservice.lan@KWTEST.LOCAL - in mod_auth_kerb one can set the SPN to > use, i am not sure how this is intended in sssd and that is my actual > question. > > - Can SSSD offer "negotiation" through pam ... nginx at all? (reusing active > client krb tokens)
No, what you are looking for is GSSAPI support and it looks like https://github.com/stnoonan/spnego-http-auth-nginx-module might be a suitable module. HTH bye, Sumit > - What SPN is used when pam calls SSSD? > > I hope i could explain this at least a little ;/ > > Thank you > > Eugen > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org