On (09/06/16 11:44), Sumit Bose wrote:
On Thu, Jun 09, 2016 at 11:27:54AM +0200, Lukas Slebodnik wrote:
> On (08/06/16 11:41), Jakub Hrozek wrote:
> >On Fri, Apr 22, 2016 at 04:29:36PM +0200, Sumit Bose wrote:
> >> On Fri, Apr 22, 2016 at 03:20:56PM +0200, Jakub Hrozek wrote:
> >> > On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote:
> >> > > Hi,
> >> > >
> >> > > this is a bit of a follow-up patch to "subdomains: inherit
> >> > > ldap_krb5_keytab". It turned out that if the default keytab
contains
> >> > > some completely unrelated keys the SASL initialization might e.g.
pick a
> >> > > wrong realm name because the alternative keytab was only added
later
> >> > > during the initialization.
> >> > >
> >> > > bye,
> >> > > Sumit
> >> > >
> >> >
> >> > How do I test this patch? I tried to set:
> >> > krb5_keytab = /tmp/another.keytab
> >> > which was just a copy of the ordinary host keytab, but then lookups of
> >> > users from trusted domains stopped working..
> >>
> >> did you set 'subdomain_inherit = ldap_krb5_keytab' as well?
> >
> >No I didn't and that helped. With keytab moved to /tmp and
> >subdomain_inherit = ldap_krb5_keytab I was able to verify that lookups
> >for both main and child domain work. Before, the child domain lookups
> >errored out with "no ID ctx for domain..."
> >
> >ACK
> master:
> * cc4caf88344210ea9777d618f0f71935ca5e7f8b
>
> Do we want this patch also in 1.13 ?
I think this would be useful because without it our typically
recommendation when SSSD should connect to 2 different AD forests to use
two different keytabs might fail.
OK
sssd-1-13:
* c5eabcd8f2500cb563ec0381782ef695e4a1ab7c
LS