pythongssapi / requests-gssapi

An authentication handler for using GSSAPI with Python Requests. Drop-in replacement for old requests-kerberos.
Other
32 stars 21 forks source link

GSS-Proxy Support #21

Closed superteece closed 4 years ago

superteece commented 4 years ago

Is the ability to point to gss-proxy available? I see that I can set a ccache in the env but my understanding is that the ccache created during delegation is only readable by gss-proxy. Setting that env var to the gss-proxy ccache failed to authenticate anyway. Apologies if there's a better place to ask this question, super novice here :)

frozencemetery commented 4 years ago

gssproxy will be enabled or not for any GSSAPI application (including those that use python-gssapi, like requests-gssapi) based on the GSS_USE_PROXY variable.

To put it a different way: use of gssproxy is intended to be transparent to any application which uses GSSAPI. So yes, it's available.

Does that make sense?

superteece commented 4 years ago

I think I get it. I have GSS_USE_PROXY=1 in /etc/systemd/system/httpd.service but I also need it in the venv for my app?

superteece commented 4 years ago

I added that variable to my others in the application and I do not see a behavior change. My key indicator that the proxy isn't being used is the log on the KDC reports "CONSTRAINED-DELEGATION s4u-client=HTTP/<service principle" instead of "CONSTRAINED-DELEGATION s4u-client= like I see when accessing the FreeIPA framework.

But I get that this my issue is out of scope for an issue in your repo. If anyone is up for talking through it I am hanging out in Freenode #gssproxy.

frozencemetery commented 4 years ago

It's out of scope, but it's still my problem :) Let's move to email/IRC.