Question: Can I use oauth2/idp plugin on macOS? #7534
Comments
|
Hi, you are right about the plugin. The problem is that the plugin is written for the MIT implementation of the Kerberos protocol (https://web.mit.edu/Kerberos/) and MacOS is using the Heimdal implementation (https://github.com/heimdal/) which cannot use the plugin in its current state. I'm not even sure if Heimdal allows plugins for this stage (pre-authentication). It would of course be possible to implement what is done by the SSSD plugin in Heimdal. I'm not sure how easy it would be to take the code with modifications directly because of the different licenses. However, this would not be an easy task and we do you have the resources to do this. But, of course, we would be happy to help with questions and explaining details if the Heimdal community would be interested in bringing this pre-authentication method to Heimdal. HTH bye, |
|
Appreciate the response, thanks for clarifying! What about the kerberos available through homebrew? It seems it is the MIT implantation. In fact when I use it it's clearly different, CLI params are the same as on Linux (as opposed to the built-in OSX versión) Any notes you can share with that in mind? At least for the shake of understanding it a bit or for future readers, as I myself don't have the knowledge to implement the plugin if it needs a rewrite. |
|
Hi, with those packages it might work but you still have to compile the plugin on MacOS. If this is done a second obstacle might be that all the kerberized MacOS tolls and services with still use the system Kerberos (Heimdal) so you have to make sure that you place the Kerberos tickets which you got by calling MIT's kinit into a credential cache which can be read by Heimdal as well, best here would be the FILE: type credential ccaches but the system's KCM: ccache might work as well. bye, |
I apologize if this is not the right place to ask. I'm pretty new to sssd and kerberos.
Using Linux, I've managed to use kinit -n -c file && kinit -T file user to get a kerberos ticket from an IPA server (that uses external IDP), from a server that does not have IPA installed at all. Once I have the ticket, I can list it with klist, and I'm able to SSH to any server using GSSAPI without specifying any pwd or key.
I believe (of course, again, I could be wrong) that it works great thanks to this file and plugin (src/krb5_plugin/idp/sssd_enable_idp).
The problem is that on MacOS M1, I cannot use this plugin, and thus, the flow breaks when kinit receives a message from kerberos/idp that says preauthentication_required, where it should now show the IDP login url.
I wonder if any of the above is a correct guess, and if there is any way to compile sssd_krb5_idp_plugin.so for Mac and add it to kerberos, and then be able to get a ticket and ssh to servers in an ipa domain.
Thanks and again, sorry for putting this message here, but all traces I find point me to this repo :)
The text was updated successfully, but these errors were encountered: