Hi,
this patch adds the change password support for the kerberos backend.
I wonder if we want to support password reset by root via kerberos, i.e. allow root to change a user's password if a krb5 ticket with the needed privileges is available?
bye, Sumit
On Mon, 2009-08-31 at 15:10 +0200, Sumit Bose wrote:
Hi,
this patch adds the change password support for the kerberos backend.
I wonder if we want to support password reset by root via kerberos, i.e. allow root to change a user's password if a krb5 ticket with the needed privileges is available?
Patch looks good, the only remark I have is that even if the child exits we should still try to free resources we allocate (krb libs invocations may allocate buffers), to avoid leaks if we later change the code to be more complex or copy the code elsewhere.
Otherwise I'd say it's an ACK (though I haven't tested the change myself).
Simo.
On Mon, Aug 31, 2009 at 02:27:45PM -0400, Simo Sorce wrote:
On Mon, 2009-08-31 at 15:10 +0200, Sumit Bose wrote:
Hi,
this patch adds the change password support for the kerberos backend.
I wonder if we want to support password reset by root via kerberos, i.e. allow root to change a user's password if a krb5 ticket with the needed privileges is available?
Patch looks good, the only remark I have is that even if the child exits we should still try to free resources we allocate (krb libs invocations may allocate buffers), to avoid leaks if we later change the code to be more complex or copy the code elsewhere.
Otherwise I'd say it's an ACK (though I haven't tested the change myself).
libdbus does not like a pure fork, but prefers fork+exec. The second patch add this functionality to the kerberos child.
Parent and child communicate in the following way. UPN and passwords are sent from parent to child via a pipe and the result is sent back via another pipe. General parameters, like the change password principle, are put to the environment by the parent and can be read by the child when needed.
There is a minor change to the change password patch which fixes a talloc_steal to the wrong context.
bye, Sumit
On Tue, 2009-09-08 at 11:26 +0200, Sumit Bose wrote:
libdbus does not like a pure fork, but prefers fork+exec. The second patch add this functionality to the kerberos child.
Parent and child communicate in the following way. UPN and passwords are sent from parent to child via a pipe and the result is sent back via another pipe. General parameters, like the change password principle, are put to the environment by the parent and can be read by the child when needed.
There is a minor change to the change password patch which fixes a talloc_steal to the wrong context.
Ack both and pushed. Sorry it took so long, but wasn't able to test krb auth before today.
Simo.
sssd-devel@lists.fedorahosted.org
-
Simo Sorce -
Sumit Bose