sumit-bose
commented
3 weeks ago Hi,
you are right about the plugin. The problem is that the plugin is written for the MIT implementation of the Kerberos protocol (https://web.mit.edu/Kerberos/) and MacOS is using the Heimdal implementation (https://github.com/heimdal/) which cannot use the plugin in its current state. I'm not even sure if Heimdal allows plugins for this stage (pre-authentication).
It would of course be possible to implement what is done by the SSSD plugin in Heimdal. I'm not sure how easy it would be to take the code with modifications directly because of the different licenses. However, this would not be an easy task and we do you have the resources to do this. But, of course, we would be happy to help with questions and explaining details if the Heimdal community would be interested in bringing this pre-authentication method to Heimdal.
HTH
bye, Sumit
jaimehrubiks
I apologize if this is not the right place to ask. I'm pretty new to sssd and kerberos.
Using Linux, I've managed to use kinit -n -c file && kinit -T file user to get a kerberos ticket from an IPA server (that uses external IDP), from a server that does not have IPA installed at all. Once I have the ticket, I can list it with klist, and I'm able to SSH to any server using GSSAPI without specifying any pwd or key.
I believe (of course, again, I could be wrong) that it works great thanks to this file and plugin (src/krb5_plugin/idp/sssd_enable_idp).
The problem is that on MacOS M1, I cannot use this plugin, and thus, the flow breaks when kinit receives a message from kerberos/idp that says preauthentication_required, where it should now show the IDP login url.
I wonder if any of the above is a correct guess, and if there is any way to compile sssd_krb5_idp_plugin.so for Mac and add it to kerberos, and then be able to get a ticket and ssh to servers in an ipa domain.
Thanks and again, sorry for putting this message here, but all traces I find point me to this repo :)