URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: opened
PR body: """ This allows configuration of KCM to attempt renewals for renew-applicable kerberos tickets stored in kcm, such as a TGT retrieved with `kinit` on the command-line.
krb5* renewal and lifetime options are configurable in the [kcm] section, if they do not exist in the [kcm] section then we check and fallback to using the first `auth_provider=krb5` domain in sssd.conf.
This support is only added to the secdb ccache backend. The overall high-level logic used here is similar to the existing pam_sss krb5 renewal code, adding necessary changes to unmarshal and retrieve ticket information from KCM secrets db.
Renewal is only attempted after half of the tgt lifetime has been reached. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
frozencemetery commented: """ (I'll want to review this once it passes CI.) """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-756832041
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Latest CI failures are unrelated. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-760264220
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ This is ready for review, latest CI failures are unrelated. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-760264220
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
frozencemetery commented: """ (krb5 discussion PR: https://github.com/krb5/krb5/pull/1153 ) """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-760546977
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
frozencemetery commented: """ Hi, you've written "fixed" below several things, but the code isn't change. Are you missing a push? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-763083343
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
I've started discussion upstream in krb5 about making public functions for cred marshalling in krb5. This would allow SSSD to avoid reimplementing several hundred lines of parser logic to produce a krb5_creds object - which seems preferable to me.
In the interest of providing other feedback, though, I've reviewed the code as it stands - noting as usual that I'm not reviewing talloc logic and deep SSSD-isms. There are several persistent problems that come up frequently enough that I think it's clearer to call out here rather than marking each instance.
Style violations (So that we're all on the same page, I'm referring to SSSD coding style: https://sssd.io/docs/developers/coding_style.html )
* Weird whitespace - it's easy to spot these reading through the github viewer because things don't line up. Coding style says "MUST: No tabs all indentation 4 spaces." (Presumably this isn't true for Makefiles, which are required to be tabs; there are some problems there too.) * line lengths - While it's not a "MUST", < 80 character lines are "HIGHLY RECOMMENDED". * goto labels: I believe the use of "immediate" should be replaced with "done"/"fail". * Multi-line comments "MUST" have `/*` and `*/` on their own lines, as well as being "real sentences" and resembling "real paragraphs". * Mid-function variable declaration - "MUST: Always declare variables at the top of the function or block."General clarity things:
* `ret = foo; return ret;`. There's no need for this; just `return ret`. * `return foo; done: return foo;`. The double return is redundant, and moreover the label isn't necessary at all; just return directly within the function.Further comments are inline.
Thanks very much for the review. I have addressed most of the in-line comments, but I still need to fix the style issues you mention here in this specific comment.
I'll push to the PR again once done. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-763096248
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ I addressed several of the aforementioned issues, I'll make a second pass tomorrow. I could not find any instances of `Mid-function variable declaration` but maybe I missed it when looking over the changes.
Thanks again for the review and also for submitting a request to make the marshalling/unmarshalling functions public! """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-763153281
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
frozencemetery commented: """ The krb5 PR has merged upstream. For convenience, I've backported the two functions to Fedora rawhide starting in krb5-1.19-0.beta2.3.fc34. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-769201656
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
sumit-bose commented: """
The krb5 PR has merged upstream. For convenience, I've backported the two functions to Fedora rawhide starting in krb5-1.19-0.beta2.3.fc34.
Hi Robbie,
thanks for the effort. What would be your suggestion for the way forward? We can add a configure check if the new functions are already available. But if they are not available would you recommend to fall-back to the SSSD implementation of the functions or to build sssd_kcm without the certificate renewal feature?
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-769245702
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
frozencemetery commented: """
thanks for the effort. What would be your suggestion for the way forward? We can add a configure check if the new functions are already available. But if they are not available would you recommend to fall-back to the SSSD implementation of the functions or to build sssd_kcm without the certificate renewal feature?
(Assuming this is a typo for "credential renewal".)
My preference would be to not build the functionality. If there's an older release you need this functionality on, I can probably backport it.
The point is to allow sssd-kcm to not carry code for {de,}serializing the credentials objects. It reduces testing burden, and it makes debugging for us easier in the event that there are any issues. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-769282308
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
sumit-bose commented: """
thanks for the effort. What would be your suggestion for the way forward? We can add a configure check if the new functions are already available. But if they are not available would you recommend to fall-back to the SSSD implementation of the functions or to build sssd_kcm without the certificate renewal feature?
(Assuming this is a typo for "credential renewal".)
yes :-)
My preference would be to not build the functionality. If there's an older release you need this functionality on, I can probably backport it.
The point is to allow sssd-kcm to not carry code for {de,}serializing the credentials objects. It reduces testing burden, and it makes debugging for us easier in the event that there are any issues.
Ok, fair point. @justin-stephenson, if you agree with this as well please let me know if you need help with the configure/automake related changes?
bye, Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-769729721
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Thank you, I'll work on it and update the PR. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-769816677
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Sorry for the delay. I updated the PR to
* Use the exported krb5 marshalling credentials functions * Build KCM renewals code conditionally, if the krb5 marshalling functions are available then we auto-detect that and build with KCM renewals, explicit `--enable-kcm-renewal` and `--disable-kcm-renewal` ./configure options can also be provided to override auto-detection.
I also noticed that the responder idle timeout can shutdown KCM when renewals are configured, so I added commit b206ba3c0340877b0e6df2e530fdb350b838ac5d to disable the responder idle timeout when renewals code is built. Once KCM comes up with renewals configured it will stay active.
This does not handle the case when a renewal is expected to occur after the system boots but before any kerberos activity has occurred to socket-activate KCM. I don't know if this is a valid case we need to handle, it seems unlikely to me but @sumit-bose suggested we could install a .timer file for sssd-kcm. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-777779438
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ CI fails as expected with `configure: error: krb5 marshalling functions not available, --disable-kcm-renewal should be used` """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-777782633
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
sumit-bose commented: """ Hi,
@justin-stephenson, you can add `--disable-kcm-renewal` for platforms where the calls are not available in `contrib/ci/configure.sh`
@pbrezina, can you update the rawhide vagrant image and add fedora34? Thanks.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-779245785
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Changes made as requested. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-779398475
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ @sumit-bose How do I conditionally exclude the `test_kcm_renewals` integration test from `src/tests/intg/test_kcm.py` when kcm renewals are not being built? See https://s3.eu-central-1.amazonaws.com/sssd-ci/PR-5450/10/fedora32/ci-make-in... """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-785319271
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Disregard my previous comment, I added a custom pytest marker to skip the intg test if not built with renewal support """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-788212138
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ It looks like most the CI failures are unrelated to this PR, @sumit-bose could you please confirm this? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-789925025
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
sumit-bose commented: """ Hi,
thanks for updating the patches so that the build works automatically on platforms without the new libkrb5 calls. The CI failures with rawhide and F34 are (unfortunately) currently expected.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-791306558
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
There are few minor comments... but:
If I understand it correctly, this functionality requires KCM to be running. KCM is currently socket activated so I see two problems:
1. Unless somebody use Kerberos regularly, keeping the KCM busy, the renewal will not work. So this makes the feature unfortunately useless, since you want to renew the ticket mostly when you don't use the computer for longer period of times, e.g. when you have session locked during a weekend. * the timer will be always scheduled in a destined future time when KCM is started, but KCM will likely terminate before we get even close to this time (idle timeout is five minutes). 2. You add creds to renew table on two places: a) when KCM process starts `kcm_process_init` b) when renew timer is triggers `kcm_renew_tgt_timer_handler` However, since it is socket activated, b) is very unlikely to happen. And we already have performance issues so its probably not a very good idea to do it in a).The code itself is fine, but unless I am missing something, it is currently unusable. We have to either avoid socket activation, which is not desirable. Or find a way how to execute the process periodically in certain intervals (systemd timer might help here) and change the renew table logic.
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799333755
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
alexey-tikhonov commented: """
But I wonder if it would be better to keep the idle timeout enabled.
What's wrong with keeping an idle process "running"? Sleeping process with small memory footprint shouldn't have any resource implications, right? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799351188
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
But I wonder if it would be better to keep the idle timeout enabled.
What's wrong with keeping an idle process "running"? Sleeping process with small memory footprint shouldn't have any resource implications, right?
It's not sleeping, it still spins in tevent loop doing stuff which may have a negative impact on battery. The impact from a single process may not be significant, but there are lots of such processes so if it can be avoided it is certainly welcomed. However, there's nothing wrong about it per say. It just makes sense to me to keep KCM a short lived service, especially since it will also reduce the amount of code that is required to provide the functionality.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799376424
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
alexey-tikhonov commented: """
It's not sleeping, it still spins in tevent loop doing stuff which may have a negative impact on battery.
That's exactly my question: what is it doing? IIUC, it should be sleeping on `epoll()` (say 99.999% of the time)
If it actually does something useful, it means process would have to be socket activated otherwise which is much more expensive than awaking from epoll(). If it doesn't do anything usefull, then what is it doing? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799394082
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is an important consideration because if the renewal interval is too high then we could miss renewing tickets that have already expired, too low and it may add unnecessary KCM load.
I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
It's not sleeping, it still spins in tevent loop doing stuff which may have a negative impact on battery.
That's exactly my question: what is it doing? IIUC, it should be sleeping on `epoll()` (say 99.999% of the time)
If it actually does something useful, it means process would have to be socket activated otherwise which is much more expensive than awaking from epoll(). If it doesn't do anything usefull, then what is it doing?
epoll is just one of the tevent mechanisms, there is much more to it. It does not check only epoll, but also go into internal structures to watch for signals and to trigger timed events and tevent reqs. But lets not dive into it, I formulated my previous answer wrongly and made battery life a stronger point then I meant. If this was the reason to keep it as short lived process it is certainly something then needs to be measured.
My point was that lots of logic that Justin introduced would not be necessary.
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is an important consideration because if the renewal interval is too high then we could miss renewing tickets that have already expired, too low and it may add unnecessary KCM load.
I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
Fair point. Let's continue with this patch set as is. Since SSSD is not currently relying that much on systemd it is probably a better choice. We can revisit this if we ever switch from monitor to systemd.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-800159007
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ I pushed a new version addressing the latest review items from Pavel. The CI failure `Details` link shows no actual files, just an empty header. Is it expected? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-801150902
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Thanks a lot Pavel for the further review, it is better to get everything resolved now than having to fix issues later.
If the cache contains uid that is not resolvable then kcm fails to start:
[root /var/log/sssd]# /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --debug-level 0xfff0 (2021-03-25 12:12:49:260824): [sssd] [become_user] (0x0200): Trying to become user [0][0]. (2021-03-25 12:12:49:260883): [sssd] [become_user] (0x0200): Already user [0]. (2021-03-25 12:12:49:263412): [kcm] [ldb] (0x0400): server_sort:Unable to register control with rootdse! (2021-03-25 12:12:49): [kcm] [server_setup] (0x0040): Starting with debug level = 0xfff0 (2021-03-25 12:12:49): [kcm] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (2021-03-25 12:12:49): [kcm] [kcm_get_ccdb_be] (0x0100): KCM database type: secdb (2021-03-25 12:12:49): [kcm] [kcm_ccdb_init] (0x0200): KCM back end: libsss_secrets (2021-03-25 12:12:49): [kcm] [ccdb_secdb_init] (0x2000): secdb initialized (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [91600000] (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [1000] (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x2000): Found [2] ccache uids (2021-03-25 12:12:49): [kcm] [renew_check_ccaches] (0x0040): Failed to get pwd entry for [91600000] (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x0040): Error checking ccaches in secdb (2021-03-25 12:12:49): [kcm] [kcm_ccdb_renew_init] (0x0020): Failure to execute ccdb renewal init (2021-03-25 12:12:49): [kcm] [kcm_process_init] (0x0010): fatal error initializing KCM ccdb renewals (2021-03-25 12:12:49): [kcm] [kcm_responder_ctx_destructor] (0x0400): Responder is being shut down
Is it valid to treat renewal failures as not fatal, and return EOK from `kcm_ccdb_renew_init` instead of current behavior shown below? If not what is the preferred way to handle this?
``` 647 /* Add any renew-applicable KCM tickets to renew table */ 648 ret = kcm_ccdb_renew_init(renew_tgt_ctx->rctx, renew_tgt_ctx->krb5_ctx, 649 ev, renew_tgt_ctx->db); 650 if (ret != EOK) { 651 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add KCM tickets to table.\n"); 652 talloc_zfree(renew_tgt_ctx); 653 return; 654 } ```
It might be better to move this to a function on its own, something like:
errno_t kcm_renewals_init(...) { #ifndef HAVE_KCM_RENEWAL return EOK; #else do stuff #endif }
Can you help me understand what is the benefit of this change? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-806744205
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
Thanks a lot Pavel for the further review, it is better to get everything resolved now than having to fix issues later.
If the cache contains uid that is not resolvable then kcm fails to start:
[root /var/log/sssd]# /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --debug-level 0xfff0 (2021-03-25 12:12:49:260824): [sssd] [become_user] (0x0200): Trying to become user [0][0]. (2021-03-25 12:12:49:260883): [sssd] [become_user] (0x0200): Already user [0]. (2021-03-25 12:12:49:263412): [kcm] [ldb] (0x0400): server_sort:Unable to register control with rootdse! (2021-03-25 12:12:49): [kcm] [server_setup] (0x0040): Starting with debug level = 0xfff0 (2021-03-25 12:12:49): [kcm] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (2021-03-25 12:12:49): [kcm] [kcm_get_ccdb_be] (0x0100): KCM database type: secdb (2021-03-25 12:12:49): [kcm] [kcm_ccdb_init] (0x0200): KCM back end: libsss_secrets (2021-03-25 12:12:49): [kcm] [ccdb_secdb_init] (0x2000): secdb initialized (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [91600000] (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [1000] (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x2000): Found [2] ccache uids (2021-03-25 12:12:49): [kcm] [renew_check_ccaches] (0x0040): Failed to get pwd entry for [91600000] (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x0040): Error checking ccaches in secdb (2021-03-25 12:12:49): [kcm] [kcm_ccdb_renew_init] (0x0020): Failure to execute ccdb renewal init (2021-03-25 12:12:49): [kcm] [kcm_process_init] (0x0010): fatal error initializing KCM ccdb renewals (2021-03-25 12:12:49): [kcm] [kcm_responder_ctx_destructor] (0x0400): Responder is being shut downIs it valid to treat renewal failures as not fatal, and return EOK from `kcm_ccdb_renew_init` instead of current behavior shown below? If not what is the preferred way to handle this?
Fail to setup renewals should be fatal. But invalid uid inside the cache is not fatal, it may happen quite easily -- user was removed from LDAP and then from SSSD cache but kdestroy was not called before the user was removed. In the future we should probably purge such ccaches.
It might be better to move this to a function on its own, something like:
errno_t kcm_renewals_init(...) { #ifndef HAVE_KCM_RENEWAL return EOK; #else do stuff #endif }Can you help me understand what is the benefit of this change?
The benefit is that the logic is confined to the function and not to its caller. The current code requires #ifdefs on two places. If you move it to a separate function, you only need one #ifdef and the caller does not have to care about the support. It is not that important at this place, but it is generally a good practice. The caller should know how to call the function not when to call it.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-808156268
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Hi Justin, I'm sorry it takes so long, but there are few more thinks. They are mostly minor, but one makes kcm fail to start.
These issues are addressed in the latest version.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-808436460
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """ Sorry, it still does not work correctly. Right now you don't continue with next user if you did not find the current. You want:
```diff diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c index 7591c5687..14315e01b 100644 --- a/src/responder/kcm/kcmsrv_ccache_secdb.c +++ b/src/responder/kcm/kcmsrv_ccache_secdb.c @@ -707,7 +707,7 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx, struct passwd *pwd; errno_t ret;
- cli_cred = talloc_zero(ev, struct cli_creds); + cli_cred = talloc_zero(NULL, struct cli_creds); if (cli_cred == NULL) { return ENOMEM; } @@ -716,11 +716,10 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx, for (int i = 0; i < uid_count; i++) { pwd = getpwuid(uids[i]); if (pwd == NULL) { - talloc_zfree(cli_cred); DEBUG(SSSDBG_OP_FAILURE, "Failed to get pwd entry for [%d]\n", uids[i]); /* Not fatal */ - return EOK; + continue; }
cli_cred->ucred.uid = pwd->pw_uid; @@ -728,16 +727,14 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx,
ret = secdb_container_url_req(state, sctx, cli_cred, &sreq); if (ret != EOK) { - talloc_zfree(cli_cred); - return EINVAL; + goto done; }
ret = sss_sec_list(state, sreq, &keys, &nkeys); if (ret == ENOENT) { nkeys = 0; } else if (ret != EOK) { - talloc_zfree(cli_cred); - return EINVAL; + goto done; } DEBUG(SSSDBG_TRACE_INTERNAL, "Found [%zu] ccaches under uid [%u]\n", nkeys, uids[i]); @@ -746,14 +743,16 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx, for (size_t j = 0; j < nkeys; j++) { ret = renew_check_creds(krb5_ctx, state, sctx, cli_cred, keys[j]); if (ret != EOK && ret != ENOENT) { - talloc_zfree(cli_cred); DEBUG(SSSDBG_OP_FAILURE, "Failed to check credentials\n"); - return EINVAL; + goto done; } } }
- return EOK; +done: + talloc_free(cli_cred); + + return ret; }
static errno_t ccdb_secdb_renew_init(struct krb5_ctx *krb5_ctx, ```
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here? """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811141452
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, ``add_tgt_to_renew_table`` uses the hash table. Is it better to just use an array of ``renew_data`` structures? ``kcm_renew_all_tgts`` is where we retrieve the hash table entries to check for renewals.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811149203
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, ``add_tgt_to_renew_table`` uses the hash table. Is it better to just use an array of ``renew_data`` structures? ``kcm_renew_all_tgts`` is where we retrieve the hash table entries to check for renewals.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811149203
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, `add_tgt_to_renew_table` uses the hash table. Is it better to just use an array of `renew_data` structures? `kcm_renew_all_tgts` is where we retrieve the hash table entries to check for renewals.
In this case the hash table is completely redundant. I think we have two options:
1. Keep the hash table. But in this case it would be better to maintain it from store/init/destroy/remove operations instead of populating it just before the refresh. 2. Drop the hash table and make the code much more straightforward. You don't need to renew_init on process start but only from the timer. You just want to iterate over all ccaches and find renewable tgts in the timer handler. (I favor this as long as there won't be performance issues since it is much easier)
In both cases, you'll probably end up with renew_init unneeded and you will gain support for all backends not just ccdb. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811766398
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
In this case the hash table is completely redundant. I think we have two options:
1. Keep the hash table. But in this case it would be better to maintain it from store/init/destroy/remove operations instead of populating it just before the refresh. 2. Drop the hash table and make the code much more straightforward. You don't need to renew_init on process start but only from the timer. You just want to iterate over all ccaches and find renewable tgts in the timer handler. (I favor this as long as there won't be performance issues since it is much easier)In both cases, you'll probably end up with renew_init unneeded and you will gain support for all backends not just ccdb.
Thank you, I will work on revising the PR for option 2. Just for information I am out on PTO starting April 2nd and returning April 12th. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811904597
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Changes requested
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """ And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g. * https://github.com/SSSD/sssd/pull/5610/commits/c556e2543148792e05f435d25458f... * https://github.com/SSSD/sssd/pull/5610/commits/3973e3f231dbe4c344ded9d4fdbf3... """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834263041
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838) * [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)
Should `:feature:` be added to all commits? Or just the main one implementing the feature """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834346883
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838) * [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)Should `:feature:` be added to all commits? Or just the main one implementing the feature
Just once. Each release note should be there only once. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834349605
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838) * [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)
Done, please check it. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834431969
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Changes requested
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """ Thank you for your patience, last two nitpick in code and we can push.
And perhaps different wording for the release notes (fill in the version): ``` :feature: Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See the sssd-kcm man page for more details. This feature requires MIT Kerberos X.Y.Z ``` """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834622746
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """
Thank you for your patience, last two nitpick in code and we can push.
And perhaps different wording for the release notes (fill in the version):
:feature: Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See the sssd-kcm man page for more details. This feature requires MIT Kerberos X.Y.Z
Fixed and pushed, not sure if ``MIT Kerberos krb5-1.19-0.beta2.3 or higher.`` is the correct wording however. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834658385
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """ Thank you. Ack. """
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-836525263
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Waiting for review
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Ready to push
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5450
* `master` * ec932d35172819ac68343355faaad4dc6ffae688 - KCM: Disable responder idle timeout with renewals * ddcedbf3bc6b267d40d8a7edcb65f8d61ec13dd1 - KCM: Conditionally build KCM renewals support * 0202eb53ab18b5eeac53fc96bf5e0569276e3767 - INTG: Add KCM Renewal integration test * a55405b3edd6312a5e39567e4bdde5522ffc6a0a - TESTS: Add kcm_renewals unit test * 1dc3c33c8d2f4ca4a41b186746c44f74510c2f38 - SECRETS: Don't hardcode SECRETS_DB_PATH * 599f0ad056dc8fc052395d5abe0e110e4e68a886 - KCM: Prepare and execute renewals * 993b66d48d555c59e619d7ef3b494248a82587ac - KCM: Read and set KCM renewal and krb5 options
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-836663582
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Accepted
URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
Label: -Ready to push
URL: https://github.com/SSSD/sssd/pull/5450 Author: justin-stephenson Title: #5450: kcm: add support for kerberos tgt renewals Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5450/head:pr5450 git checkout pr5450
sssd-devel@lists.fedorahosted.org
-
alexey-tikhonov -
frozencemetery
-
justin-stephenson
-
pbrezina
-
sumit-bose