On Mon, Dec 06, 2010 at 09:18:56AM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2010 09:07 AM, Sumit Bose wrote:
> On Mon, Dec 06, 2010 at 08:38:54AM -0500, Stephen Gallagher wrote:
> On 12/03/2010 03:56 PM, Sumit Bose wrote:
>>>>> Although it might be recommended it is not necessary that the
keytab
>>>>> entry for FAST or the TGT validation comes from the same REALM, only
the
>>>>> KDC needs to know how the create tickets for the principal. One use
case
>>>>> e.g. would be a setup with AD and IPA where the user principal
coming
>>>>> from the AD realm and the host entry in the keytab from the IPA
realm
>>>>> and both realm trust each other.
>>>>
>
> I don't understand still why just taking the last entry in the keytab
> makes sense. If we have a contrived situation like the one you describe,
> wouldn't it be more sensible for us to add an option to specify the
> principal in the keytab that we're looking for, rather than hoping that
> the last one in the list happens to be correct?
>
>> I think this is a good idea. Would you mind opening a ticket to add
>> krb5_validate_principal and krb5_fast_principal options?
Ok, I will do that. However, please modify the current patch so that we
just fail if we don't find the principal we expect.
ok, done. I also fixed an issue with offline authentication. New patches
attached.
bye,
Sumit
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkz88NAACgkQeiVVYja6o6Nz5wCfUAbBogbJppZqcXNH1PrY+YJ/
6EYAoKqI6fWuhWsWHBZpNpe3dx2XKBk2
=T5kT
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel