-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2010 09:07 AM, Sumit Bose wrote:
On Mon, Dec 06, 2010 at 08:38:54AM -0500, Stephen Gallagher wrote:
On 12/03/2010 03:56 PM, Sumit Bose wrote:
>>>> Although it might be recommended it is not necessary that the keytab
>>>> entry for FAST or the TGT validation comes from the same REALM, only the
>>>> KDC needs to know how the create tickets for the principal. One use case
>>>> e.g. would be a setup with AD and IPA where the user principal coming
>>>> from the AD realm and the host entry in the keytab from the IPA realm
>>>> and both realm trust each other.
>>>
I don't understand still why just taking the last entry in the keytab
makes sense. If we have a contrived situation like the one you describe,
wouldn't it be more sensible for us to add an option to specify the
principal in the keytab that we're looking for, rather than hoping that
the last one in the list happens to be correct?
> I think this is a good idea. Would you mind opening a ticket to add
> krb5_validate_principal and krb5_fast_principal options?
Ok, I will do that. However, please modify the current patch so that we
just fail if we don't find the principal we expect.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkz88NAACgkQeiVVYja6o6Nz5wCfUAbBogbJppZqcXNH1PrY+YJ/
6EYAoKqI6fWuhWsWHBZpNpe3dx2XKBk2
=T5kT
-----END PGP SIGNATURE-----