On (08/06/16 11:41), Jakub Hrozek wrote:
On Fri, Apr 22, 2016 at 04:29:36PM +0200, Sumit Bose wrote:
> On Fri, Apr 22, 2016 at 03:20:56PM +0200, Jakub Hrozek wrote:
> > On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote:
> > > Hi,
> > >
> > > this is a bit of a follow-up patch to "subdomains: inherit
> > > ldap_krb5_keytab". It turned out that if the default keytab contains
> > > some completely unrelated keys the SASL initialization might e.g. pick a
> > > wrong realm name because the alternative keytab was only added later
> > > during the initialization.
> > >
> > > bye,
> > > Sumit
> > >
> >
> > How do I test this patch? I tried to set:
> > krb5_keytab = /tmp/another.keytab
> > which was just a copy of the ordinary host keytab, but then lookups of
> > users from trusted domains stopped working..
>
> did you set 'subdomain_inherit = ldap_krb5_keytab' as well?
No I didn't and that helped. With keytab moved to /tmp and
subdomain_inherit = ldap_krb5_keytab I was able to verify that lookups
for both main and child domain work. Before, the child domain lookups
errored out with "no ID ctx for domain..."
ACK
master:
* cc4caf88344210ea9777d618f0f71935ca5e7f8b
Do we want this patch also in 1.13 ?
LS