Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
On Tue, Jun 16, 2015 at 03:10:18PM +0200, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
btw I also amended the design page: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&v...
On 06/16/2015 03:12 PM, Jakub Hrozek wrote:
On Tue, Jun 16, 2015 at 03:10:18PM +0200, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
btw I also amended the design page: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&v...
Hi,
the patches look good, but I think you wrongly amended this sentence in the design page:
"That way, processes that are able to access the sssd state directory, which is public <HAKUNAMATATA> the keytabs."
I think you wanted to keep the ", will not be able to access" where I put the <HAKUNAMATATA>.
Other than that. The patches are good I am just waiting for the CI to finish.
Michal
On Tue, Jun 16, 2015 at 04:56:48PM +0200, Michal Židek wrote:
On 06/16/2015 03:12 PM, Jakub Hrozek wrote:
On Tue, Jun 16, 2015 at 03:10:18PM +0200, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
btw I also amended the design page: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&v...
Hi,
the patches look good, but I think you wrongly amended this sentence in the design page:
"That way, processes that are able to access the sssd state directory, which is public <HAKUNAMATATA> the keytabs."
I think you wanted to keep the ", will not be able to access" where I put the <HAKUNAMATATA>.
Other than that. The patches are good I am just waiting for the CI to finish.
Michal
Thank you for the review, pushed to master: * a5bb518446d5ce565d7ba819590a009cabb0b0b4 * dbfc407eef1d9ba2469687c3ffbe7fd8bb111d94
On Tue, Jun 16, 2015 at 04:56:48PM +0200, Michal Židek wrote:
On 06/16/2015 03:12 PM, Jakub Hrozek wrote:
On Tue, Jun 16, 2015 at 03:10:18PM +0200, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
btw I also amended the design page: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&v...
Hi,
the patches look good, but I think you wrongly amended this sentence in the design page:
"That way, processes that are able to access the sssd state directory, which is public <HAKUNAMATATA> the keytabs."
I think you wanted to keep the ", will not be able to access" where I put the <HAKUNAMATATA>.
yes, sorry. Fixed.
On Tue, 2015-06-16 at 15:10 +0200, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
LGTM
Simo.
On 06/16/2015 03:10 PM, Jakub Hrozek wrote:
Proactively store the keytabs in /var/lib/sss/keytabs instead of /var/lib/sss/db/keytabs because users (including developers who rote tests) are used to removing everything under /var/lib/sss/db which removes the sssd-owned directory.
Unlike the other directories under /var/lib/sss this one doesn't have a matching configure option...I don't this we need one.
Make sure the directory is only accessible to the sssd user.
CI (rigorous by default now): http://sssd-ci.duckdns.org/logs/commit/27/df243b8f6182a6093af432f1d23a21e4fb...
ACK.
CI link (I know you ran the CI, but it is part of review not to trust your results :) ): http://sssd-ci.duckdns.org/logs/job/17/45/summary.html
Michal
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Michal Židek -
Simo Sorce