Closed superteece closed 4 years ago
gssproxy will be enabled or not for any GSSAPI application (including those that use python-gssapi, like requests-gssapi) based on the GSS_USE_PROXY variable.
To put it a different way: use of gssproxy is intended to be transparent to any application which uses GSSAPI. So yes, it's available.
Does that make sense?
I think I get it. I have GSS_USE_PROXY=1 in /etc/systemd/system/httpd.service but I also need it in the venv for my app?
I added that variable to my others in the application and I do not see a behavior change. My key indicator that the proxy isn't being used is the log on the KDC reports "CONSTRAINED-DELEGATION s4u-client=HTTP/<service principle" instead of "CONSTRAINED-DELEGATION s4u-client=
But I get that this my issue is out of scope for an issue in your repo. If anyone is up for talking through it I am hanging out in Freenode #gssproxy.
It's out of scope, but it's still my problem :) Let's move to email/IRC.
Is the ability to point to gss-proxy available? I see that I can set a ccache in the env but my understanding is that the ccache created during delegation is only readable by gss-proxy. Setting that env var to the gss-proxy ccache failed to authenticate anyway. Apologies if there's a better place to ask this question, super novice here :)