this is a setup specifically considering the rstudio pro docker image. and getting kerberos-based authentication setup without having to join the domain. (i.e. the idea should be that you can spin up a container anywhere/anytime without having to save the domain-join state)
if you domain-join the container then you can use realmd etc for a quick setup, but for non-domain-joined, PAM/SSSD is so difficult that it seems a bit silly to keep reinventing the wheel individually..
Also, advice on the internet rarely/never provides an entire working configuration to test with. which makes it even more difficult...
The r documentation is great but it's still a huge effort to get a working implementation...
Looking for a show of hands to see who would be interested on getting a working rstudio pro docker container with:
- sssd against Active Directory
- not domain joined.
- logins kerberos
- sql kerberos
- drive mappings kerberos
I would have thought this would exist already,.. and that authenticating an rstudio pro docker container against Active Directory would be highly desirable for a lot of rstudio pro customers... but maybe not.
I have already completed an implementation here that does:
- pam kerberos authentication against microsoft AD
- reuse of kerberos ticket for microsoft sql auth
- automated home directory creation
- s6 overlay for service management (original tini service manager only manages 1 process)
- doesnt need to do a domain join! (all other domain integrations i've seen on the net require a domain join which makes containerisation almost pointless if you need to save the state)
- Included an Active Directory environment (Ansible) that you can spin upto verify the configuration works.
still missing is this stuff
- kerberos-based drive mapping
- not sure s6 is really capturing all the logs emitted
- documentation