Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
bye, Sumit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2009 06:17 AM, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Ack.
- -- Stephen Gallagher RHCE 804006346421761
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/21/2009 08:16 AM, Stephen Gallagher wrote:
On 08/21/2009 06:17 AM, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
bye, Sumit
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Ack.
Pushed to master. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
- -- Stephen Gallagher RHCE 804006346421761
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
Unfortunately this patch has already been acked an committed, but I do not agree with the way it has been implemented.
The upper case hack is an AD specific hack, and should *not* be implemented in the kerberos backend. Rather it should be implemented as an hack in the ldap driver.
Note that Windows servers are fine with the lower case because they do some quite aggressive canonicalization at the server side. Moreover the UPN can easily be != username+@+upper(REALM), so the hack should be activate only through an option, so that it can be disabled if kerberos libraries become able to cope with the UPN as provided via LDAP by AD.
Simo.
On Sun, Aug 23, 2009 at 05:40:16PM -0400, Simo Sorce wrote:
On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
Unfortunately this patch has already been acked an committed, but I do not agree with the way it has been implemented.
The upper case hack is an AD specific hack, and should *not* be implemented in the kerberos backend. Rather it should be implemented as an hack in the ldap driver.
ok, you are right, the current version would force the restriction of upper case only realm names, which might not always be what we want.
Note that Windows servers are fine with the lower case because they do some quite aggressive canonicalization at the server side. Moreover the UPN can easily be != username+@+upper(REALM), so the hack should be activate only through an option, so that it can be disabled if kerberos libraries become able to cope with the UPN as provided via LDAP by AD.
ok, I'll provide a patch for both after 0.5.0 is released.
bye, Sumit
On Mon, Aug 24, 2009 at 11:19:01AM +0200, Sumit Bose wrote:
On Sun, Aug 23, 2009 at 05:40:16PM -0400, Simo Sorce wrote:
On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
Unfortunately this patch has already been acked an committed, but I do not agree with the way it has been implemented.
The upper case hack is an AD specific hack, and should *not* be implemented in the kerberos backend. Rather it should be implemented as an hack in the ldap driver.
ok, you are right, the current version would force the restriction of upper case only realm names, which might not always be what we want.
Note that Windows servers are fine with the lower case because they do some quite aggressive canonicalization at the server side. Moreover the UPN can easily be != username+@+upper(REALM), so the hack should be activate only through an option, so that it can be disabled if kerberos libraries become able to cope with the UPN as provided via LDAP by AD.
ok, I'll provide a patch for both after 0.5.0 is released.
ok, here is the patch
bye, Sumit
On Mon, Aug 24, 2009 at 03:21:45PM +0200, Sumit Bose wrote:
On Mon, Aug 24, 2009 at 11:19:01AM +0200, Sumit Bose wrote:
On Sun, Aug 23, 2009 at 05:40:16PM -0400, Simo Sorce wrote:
On Fri, 2009-08-21 at 12:17 +0200, Sumit Bose wrote:
Hi,
this is the last patch in the series to add the basic support for AD as a server. With this patch the kerberos backend will use the user principal name provided by the server to get the TGT. To make the client side kerberos libraries happy the realm part is always made upper case.
Unfortunately this patch has already been acked an committed, but I do not agree with the way it has been implemented.
The upper case hack is an AD specific hack, and should *not* be implemented in the kerberos backend. Rather it should be implemented as an hack in the ldap driver.
ok, you are right, the current version would force the restriction of upper case only realm names, which might not always be what we want.
Note that Windows servers are fine with the lower case because they do some quite aggressive canonicalization at the server side. Moreover the UPN can easily be != username+@+upper(REALM), so the hack should be activate only through an option, so that it can be disabled if kerberos libraries become able to cope with the UPN as provided via LDAP by AD.
ok, I'll provide a patch for both after 0.5.0 is released.
ok, here is the patch
this is a updated version of the patch which reflects a discussion on IRC:
- the upn is copied before getting modified - force_upper_case_realm is handled as a boolean
bye, Sumit
On Mon, 2009-08-24 at 10:13 -0400, Simo Sorce wrote:
On Mon, 2009-08-24 at 16:05 +0200, Sumit Bose wrote:
this is a updated version of the patch which reflects a discussion on IRC:
- the upn is copied before getting modified
- force_upper_case_realm is handled as a boolean
Looks good to me.
and pushed to master
Simo.
sssd-devel@lists.fedorahosted.org
-
Simo Sorce -
Stephen Gallagher -
Sumit Bose