On 08/21/2009 06:17 AM, Sumit Bose wrote: > Hi, > this is the last patch in the series to add the basic support for AD as > a server. With this patch the kerberos backend will use the user > principal name provided by the server to get the TGT. To make the client > side kerberos libraries happy the realm part is always made upper case. > bye, > Sumit > ------------------------------------------------------------------------ > _______________________________________________ > sssd-devel mailing list > sssd-devel(a)lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel Ack.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqO0bQACgkQeiVVYja6o6MG3QCfTSXYQE1EHUr6oLRFn6glkpsM +6UAn1wn2f+muUrmBTcs3aPKeR+frh01 =xvuE -----END PGP SIGNATURE-----

On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote: > Hi, > > this is the last patch in the series to add the basic support for AD as > a server. With this patch the kerberos backend will use the user > principal name provided by the server to get the TGT. To make the client > side kerberos libraries happy the realm part is always made upper case. Unfortunately this patch has already been acked an committed, but I do not agree with the way it has been implemented. The upper case hack is an AD specific hack, and should *not* be implemented in the kerberos backend. Rather it should be implemented as an hack in the ldap driver.

Note that Windows servers are fine with the lower case because they do some quite aggressive canonicalization at the server side. Moreover the UPN can easily be != username+@+upper(REALM), so the hack should be activate only through an option, so that it can be disabled if kerberos libraries become able to cope with the UPN as provided via LDAP by AD.

On Mon, Aug 24, 2009 at 11:19:01AM +0200, Sumit Bose wrote: > On Sun, Aug 23, 2009 at 05:40:16PM -0400, Simo Sorce wrote: > > On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote: > > > Hi, > > > > > > this is the last patch in the series to add the basic support for AD as > > > a server. With this patch the kerberos backend will use the user > > > principal name provided by the server to get the TGT. To make the client > > > side kerberos libraries happy the realm part is always made upper case. > > > > Unfortunately this patch has already been acked an committed, but I do > > not agree with the way it has been implemented. > > > > The upper case hack is an AD specific hack, and should *not* be > > implemented in the kerberos backend. > > Rather it should be implemented as an hack in the ldap driver. > > ok, you are right, the current version would force the restriction of > upper case only realm names, which might not always be what we want. > > > > > Note that Windows servers are fine with the lower case because they do > > some quite aggressive canonicalization at the server side. > > Moreover the UPN can easily be != username+@+upper(REALM), so the hack > > should be activate only through an option, so that it can be disabled if > > kerberos libraries become able to cope with the UPN as provided via LDAP > > by AD. > > > > ok, I'll provide a patch for both after 0.5.0 is released. > ok, here is the patch

On Mon, 2009-08-24 at 16:05 +0200, Sumit Bose wrote: > > this is a updated version of the patch which reflects a discussion on > IRC: > > - the upn is copied before getting modified > - force_upper_case_realm is handled as a boolean Looks good to me.