On Mon, Jun 01, 2015 at 08:02:43PM -0400, Simo Sorce wrote:
> On Thu, 2015-05-28 at 11:29 +0200, Jakub Hrozek wrote:
>> On Thu, May 28, 2015 at 11:09:50AM +0200, Pavel Reichl wrote:
>>>
>>> On 05/28/2015 11:04 AM, Jakub Hrozek wrote:
>>>> On Wed, May 27, 2015 at 09:40:13AM +0200, Jakub Hrozek wrote:
>>>>> On Tue, May 26, 2015 at 04:36:18PM +0200, Pavel Reichl wrote:
>>>>>> From 923e68ba56f276db473a38fffe339a0dc9770a4f Mon Sep 17
00:00:00 2001
>>>>>> From: Pavel Reichl <preichl(a)redhat.com>
>>>>>> Date: Thu, 30 Apr 2015 06:43:05 -0400
>>>>>> Subject: [PATCH] krb5: new option krb5_map_user
>>>>>>
>>>>>> New option `krb5_map_user` providing mapping of ID provider names
to
>>>>>> Kerberos principals.
>>>>>>
>>>>>> Resolves:
>>>>>>
https://fedorahosted.org/sssd/ticket/2509
>>>>> [...]
>>>>>
>>>>>> + <quote>joe</quote> and
<quote>dick</quote> are
>>>>>> + UNIX user names and
<quote>juser</quote> and
>>>>>> + <quote>richard</quote>
are primaries of kerberos
>>>>>> + principals. For user
<quote>joe</quote> resp.
>>>>>> + <quote>dick</quote>
SSSD will try to kinit as
>>>>>> +
<quote>dick@REALM</quote> resp.
>>>>> kinit as juser@REALM right?
>>>>>
>>>>>> +
<quote>richard@REALM</quote>.
>>>>>> + </para>
>>>>>> +
>>>>>> + <para>
>>>>>> + Default: not set
>>>>>> + </para>
>>>>>> + </listitem>
>>>>>> + </varlistentry>
>>>>>> +
>>>>>> </variablelist>
>>>>>> </para>
>>>>>> </refsect1>
>>>>> But since this is the last nitpick I found (for real this time :-))
I
>>>>> can fix this up locally and push..
>>>> Attached is a patch I'm about to push.
>>>>
>>> Man page looks good to me. Sorry for so many mistakes in such a short text.
>> CI link:
http://sssd-ci.duckdns.org/logs/job/16/06/summary.html
>> * master: aa8a8318aaa3270e9d9957d0c22dec6342360a37
>> * sssd-1-12: c494e100f9b2422e2890507f63019afcaff9b7c6
>>
>> I still think it makes sense to push the patch to sssd-1-12 as well --
>> it's not too risky and there's quite a few users who'd like to see
this
>> feature.
> I know this has been pushed already, but I am not very happy about this
> feature.
> Why is krb5_primary missing the realm part ?
> We already support trust relationships with kerberos why can't I have:
> joe:jbar@SUB1.REALM.COM, jane:jbar@SUB2.REALM.COM ?
>
> I think allowing shortcuts may be fine but we should also allow admin to
> explicitly map to a specific realm.
We can extend the feature, I don't think it would would be too
problematic. But the main use-case so far is very narrow -- laptop users
who don't want to convert away from their UNIX user but would like to
use the SSSD goodies like delayed kinit. So we started simple.
Feel free to file a ticket, Pavel can extend the mapping..
Sure, It should not take
long to add this feature.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel