As you may have seen on the krb5 mailing list [1], there was a problem with my patch [2] to limit the enctypes requested to those in the keytab.
This patch to krb5 was to help sssd work with keytabs generated by samba (which has no AES support) when used with AD running on Windows 2008 or later (which have AES support). We also patched sssd for this problem, so it can work with versions of krb5 that didn't have the a fore mentioned fix.
The problem [1] was solved [3] by Greg by getting the default_tkt_enctypes and sorting the ones in the keytab first.
However it seems that we cannot trivially solve this problem in our sssd enctypes code in the same way. This is due to the fact that we don't have access to the default_tkt_enctypes before hand. We have the following options:
1) Rewrite the way we kinit with a keytab. Use krb5_init_creds_init() + krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of just krb5_get_init_creds_keytab().
2) Revert my patch to sssd, and tell people to upgrade to a recent krb5 1.11.x. This breaks sssd with samba generated keytabs and Windows 2008.
3) Leave my patch in sssd, and tell people not to set default_tkt_enctypes when using sssd, which would otherwise break their setup.
I realize this is a bit confusing, and hope I explained it well enough. Ping me if something doesn't make sense.
Stef
[1] http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html
[2] https://github.com/krb5/krb5/commit/8230c4b7b7323cdef2a6c877deb710a15380f40f
[3] https://github.com/krb5/krb5/commit/61659df1036d1ad6d6891293f5949e720a2028f7
On 07/04/2012 06:01 PM, Stef Walter wrote:
- Rewrite the way we kinit with a keytab. Use krb5_init_creds_init()
just krb5_get_init_creds_keytab().
- krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of
Hmmm, this doesn't seem to be an option. We don't have access to the krb5_kdc_req member of krb5_init_creds_context from outside of the krb5 library.
Cheers,
Stef
On Thu, 2012-07-05 at 10:47 +0200, Stef Walter wrote:
On 07/04/2012 06:01 PM, Stef Walter wrote:
- Rewrite the way we kinit with a keytab. Use krb5_init_creds_init()
just krb5_get_init_creds_keytab().
- krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of
Hmmm, this doesn't seem to be an option. We don't have access to the krb5_kdc_req member of krb5_init_creds_context from outside of the krb5 library.
We discussed this on a phone call today. The decision we've made is that we're going to address this in libkrb5 rather than SSSD. We will backport the fix for krb5 1.11.x into the versions carried in RHEL and Fedora and recommend that other distributions do the same.
For this to work properly, we will revert the patch that Stef originally committed to SSSD.
On 07/05/2012 05:21 PM, Stephen Gallagher wrote:
On Thu, 2012-07-05 at 10:47 +0200, Stef Walter wrote:
On 07/04/2012 06:01 PM, Stef Walter wrote:
- Rewrite the way we kinit with a keytab. Use krb5_init_creds_init()
just krb5_get_init_creds_keytab().
- krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of
Hmmm, this doesn't seem to be an option. We don't have access to the krb5_kdc_req member of krb5_init_creds_context from outside of the krb5 library.
We discussed this on a phone call today. The decision we've made is that we're going to address this in libkrb5 rather than SSSD. We will backport the fix for krb5 1.11.x into the versions carried in RHEL and Fedora and recommend that other distributions do the same.
For this to work properly, we will revert the patch that Stef originally committed to SSSD.
Here is a patch which does the revert. I've tested this with the latest krb5 from git master. Verified that without the revert the (DES related) corner case is broken, and with the revert the corner case works again.
Cheers,
Stef
On Fri, 2012-07-06 at 19:11 +0200, Stef Walter wrote:
On 07/05/2012 05:21 PM, Stephen Gallagher wrote:
On Thu, 2012-07-05 at 10:47 +0200, Stef Walter wrote:
On 07/04/2012 06:01 PM, Stef Walter wrote:
- Rewrite the way we kinit with a keytab. Use krb5_init_creds_init()
just krb5_get_init_creds_keytab().
- krb5_init_creds_set_keytab() + krb5_init_creds_get() instead of
Hmmm, this doesn't seem to be an option. We don't have access to the krb5_kdc_req member of krb5_init_creds_context from outside of the krb5 library.
We discussed this on a phone call today. The decision we've made is that we're going to address this in libkrb5 rather than SSSD. We will backport the fix for krb5 1.11.x into the versions carried in RHEL and Fedora and recommend that other distributions do the same.
For this to work properly, we will revert the patch that Stef originally committed to SSSD.
Here is a patch which does the revert. I've tested this with the latest krb5 from git master. Verified that without the revert the (DES related) corner case is broken, and with the revert the corner case works again.
I tested a couple basic use-cases. No regressions noted.
Ack and pushed to master.
Please provide a version of this patch that will apply to the sssd-1-8 branch as well.
sssd-devel@lists.fedorahosted.org