Is it possible to use Kerberos over TLS through sssd?

tls pam sssd kerberos amazon-elb

Solution 1:

What you want to achieve with RFC 6251 is not possible with MIT Kerberos as there are no plans to implement this scheme. However, since MIT Kerberos 1.13 there is support for proxying Kerberos over HTTPS by supporting the same protocol that Microsoft's Active Directory does support, MS-KKDCP. The client side for MS-KKDCP was backported to RHEL 7 as well (https://rhn.redhat.com/errata/RHSA-2015-0439.html).

The functionality depends on ability to proxy Kerberos traffic by the clients. SSSD running on RHEL 7/CentOS 7 should be able to do so. Amazon Linux does not have this version of Kerberos library, I think, so your approach would not work.

In addition, Amazon's Simple AD is Samba AD built with Heimdal kerberos. It is also not supporting MS-KKDCP, so cannot be used as a MS-KKDCP proxy.

Related

Is there a way to find out what cluster or vcenter an ESX server is on?
Domain Registrar Reseller Won't Provide EPP for Transfer
Nginx log to syslog on TCP port
In Nginx, map specific subdomains to ports, redirect all others
Exporting on-prem SQL Server to Azure SQL using BAPAC fails because of users with Windows Auth
Best Practice: notify email sender that their reverse lookup is broken
proc's limit and ulimit -f don't match
Docker: correct way to restrict access to certain IP addresses
ESXi can't add new VM to port group once VMKernel NIC attached to group
Dynamic grouping of machines based on "Managed by" Active Directory Attribute
Enable SSLv3 on ESXi 6.5
SSL certificate working in chrome but not openssl s_client or curl