[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Re: struggling with reuse of pam_sss kerberos ticket
From: Calvin Chiang <calvin.chiang () gmail ! com>
Date: 2021-04-01 7:31:00
Message-ID: CAEVyU88pUnPHT1RtNG0F5Fr6i9hB2nW8q06NTGwjADu7Bks+mg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
thanks Alexey! i ddint realize it coudl be configured in the config file
thought it was just a build option.
I'll give it a try and post back.
KRB5CCNAME doesnt seem to be configured anyway so i'll assume it'll default
to /tmp/krb5cc_UID
On Wed, 31 Mar 2021 at 10:06, Alexey Tikhonov <atikhono@redhat.com> wrote:
> On Wed, Mar 31, 2021 at 9:58 AM Alexey Tikhonov <atikhono@redhat.com>
> wrote:
> >
> > On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang <calvin.chiang@gmail.com>
> wrote:
> > >
> > > Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!
> > >
> > > I have successfully managed to to get pam_sss working with
> > >
> > > login for specific appliction rstudio server (/etc/pam.d/rstudio)
> > > containerized ubuntu
> > > ldap/krb5 auth
> > > against Microsoft Active Directory
> > > without domain join realmd. (so all hand-configured. ouch)
> > >
> > > the problem is with reuse of the ticket. i cant work out how it works..
> > >
> > > I would like to configure pam_mount and ODBC to use the same kerberos
> ticket that was generated by the pam_sss modules
> > >
> > > so
> > >
> > > pam_sss creates a ticket with the follwoing naming which cannot be
> used by the "mount" command:
> > >
> > > /tmp/krb5cc_uid_xxxx
> > >
> > > however if i manually use kinit, it creates a ticket with the naming
> below, which can be easily reuse from the "mount" command:
> > >
> > > /tmp/krb5cc_uid
> > >
> > > the naming that pam_sss uses seems to be standard but again i just
> cant work out how that should be "discoverable" by any other services
> looking for a ticket, when it has the wrong naming..
> >
> > Hi,
> >
> > if the only thing you need is to change a template, then please see
> > `man sssd-krb5 : krb5_ccname_template` option.
> >
> > (I'm sorry I'm not fluent in kerberos enough to comment on other parts
> > of your email)
>
> and about discoverability - it exports standard `KRB5CCNAME` env variable
>
>
> >
> >
> >
> > >
> > > some links..:
> > >
> > > this seems to be where the pam_sss naming is defined - by a build flag
> --with-default-ccname-template
> > >
> > > https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337
> > >
> > > i want to integrate it into pam_mount to mount a cifs drive, which (i
> think) is SMB so will be able to use the cifs.upcall library.
> > >
> > > And the way cifs.upcall resolves tickets is somehwere here in
> get_cachename_from_process_env
> > >
> > > https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260
> > >
> > > i also want to get MSSQL ODBC driver to use the ticket as well...
> > >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>thanks Alexey! i ddint realize it coudl be configured in the \
config file thought it was just a build option.</div><div>I'll give it a try and \
post back.</div><div><br></div><div> KRB5CCNAME doesnt seem to be configured anyway \
so i'll assume it'll default to /tmp/krb5cc_UID<br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 31 Mar 2021 at 10:06, \
Alexey Tikhonov <<a href="mailto:atikhono@redhat.com">atikhono@redhat.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Mar 31, 2021 \
at 9:58 AM Alexey Tikhonov <<a href="mailto:atikhono@redhat.com" \
target="_blank">atikhono@redhat.com</a>> wrote:<br> ><br>
> On Wed, Mar 31, 2021 at 9:38 AM Calvin Chiang <<a \
href="mailto:calvin.chiang@gmail.com" target="_blank">calvin.chiang@gmail.com</a>> \
wrote:<br> > ><br>
> > Ex-windows admin wrapping my head around PAM/SSSD has been quite tough!<br>
> ><br>
> > I have successfully managed to to get pam_sss working with<br>
> ><br>
> > login for specific appliction rstudio server (/etc/pam.d/rstudio)<br>
> > containerized ubuntu<br>
> > ldap/krb5 auth<br>
> > against Microsoft Active Directory<br>
> > without domain join realmd. (so all hand-configured. ouch)<br>
> ><br>
> > the problem is with reuse of the ticket. i cant work out how it works..<br>
> ><br>
> > I would like to configure pam_mount and ODBC to use the same kerberos \
ticket that was generated by the pam_sss modules<br> > ><br>
> > so<br>
> ><br>
> > pam_sss creates a ticket with the follwoing naming which cannot be used by \
the "mount" command:<br> > ><br>
> > /tmp/krb5cc_uid_xxxx<br>
> ><br>
> > however if i manually use kinit, it creates a ticket with the naming below, \
which can be easily reuse from the "mount" command:<br> > ><br>
> > /tmp/krb5cc_uid<br>
> ><br>
> > the naming that pam_sss uses seems to be standard but again i just cant \
work out how that should be "discoverable" by any other services looking \
for a ticket, when it has the wrong naming..<br> ><br>
> Hi,<br>
><br>
> if the only thing you need is to change a template, then please see<br>
> `man sssd-krb5 : krb5_ccname_template` option.<br>
><br>
> (I'm sorry I'm not fluent in kerberos enough to comment on other \
parts<br> > of your email)<br>
<br>
and about discoverability - it exports standard `KRB5CCNAME` env variable<br>
<br>
<br>
><br>
><br>
><br>
> ><br>
> > some links..:<br>
> ><br>
> > this seems to be where the pam_sss naming is defined - by a build flag \
--with-default-ccname-template<br> > ><br>
> > <a href="https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337" \
rel="noreferrer" target="_blank">https://github.com/SSSD/sssd/blob/master/src/conf_macros.m4#L337</a><br>
> ><br>
> > i want to integrate it into pam_mount to mount a cifs drive, which (i \
think) is SMB so will be able to use the cifs.upcall library.<br> > ><br>
> > And the way cifs.upcall resolves tickets is somehwere here in \
get_cachename_from_process_env<br> > ><br>
> > <a href="https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260" \
rel="noreferrer" target="_blank">https://github.com/aaptel/cifs-utils/blob/master/cifs.upcall.c#L260</a><br>
> ><br>
> > i also want to get MSSQL ODBC driver to use the ticket as well...<br>
> ><br>
> > _______________________________________________<br>
> > sssd-users mailing list -- <a \
href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.org</a><br> > > To unsubscribe \
send an email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorahosted.org</a><br> > > Fedora Code \
of Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
> > List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines" rel="noreferrer" \
target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br> > \
> List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org</a><br>
> > Do not reply to spam on the list, report it: <a \
href="https://pagure.io/fedora-infrastructure" rel="noreferrer" \
target="_blank">https://pagure.io/fedora-infrastructure</a><br> \
_______________________________________________<br> sssd-users mailing list -- <a \
href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.org</a><br> To unsubscribe send an \
email to <a href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorahosted.org</a><br> Fedora Code of \
Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer" target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br>
List Guidelines: <a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" \
rel="noreferrer" target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br>
List Archives: <a href="https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org</a><br>
Do not reply to spam on the list, report it: <a \
href="https://pagure.io/fedora-infrastructure" rel="noreferrer" \
target="_blank">https://pagure.io/fedora-infrastructure</a><br> </blockquote></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic