You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have decided that this feature is potentially dangerous as it allows the client to be presented with arbitrary realm with spoofed DNS replies. We will defer it until it is requested. In the mean time, the WIP code is in my personal git repository on fedorapeople, so we can always resume from there.
This would be a useful feature for me - do the security concerns also exist when using the krb5.conf option?
According to nalin kerberos libraries are smart enough to negotiate the right ticket securely using cross realm referrals without relying on the TXT records.
It might not make sense to add this functionality ever.
Putting in Differed for now.
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/481
Kerberos allows the autodiscovery of realm via setting the krb5.conf option
dns_lookup_realm
. We should have a similar option in SSSD.Comments
Comment from sgallagh at 2010-05-18 15:24:12
Fields changed
component: SSSD => Kerberos Provider
milestone: NEEDS_TRIAGE => SSSD 1.3.0
Comment from jhrozek at 2010-06-02 15:26:55
We have decided that this feature is potentially dangerous as it allows the client to be presented with arbitrary realm with spoofed DNS replies. We will defer it until it is requested. In the mean time, the WIP code is in my personal git repository on fedorapeople, so we can always resume from there.
milestone: SSSD 1.3.0 => SSSD Deferred
Comment from danieljamesscott at 2011-06-21 21:27:27
This would be a useful feature for me - do the security concerns also exist when using the krb5.conf option?
coverity: =>
patch: => 0
upgrade: => 0
Comment from sgallagh at 2011-06-21 21:43:02
Fields changed
milestone: SSSD Deferred => NEEDS_TRIAGE
Comment from dpal at 2011-06-23 14:55:52
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.7.0
Comment from tmraz at 2011-06-29 16:20:21
Fields changed
cc: => tmraz
Comment from sgallagh at 2011-07-12 14:46:06
Fields changed
milestone: SSSD 1.8.0 => SSSD 1.7.0
Comment from jgalipea at 2011-10-06 16:30:59
Fields changed
rhbz: =>
summary: autodiscover Kerberos domain through TXT records => [RFE] autodiscover Kerberos domain through TXT records
Comment from dpal at 2011-12-08 15:27:35
Fields changed
milestone: SSSD 1.7.0 => SSSD 1.9.0
Comment from dpal at 2012-01-16 16:33:42
Fields changed
blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Kerberos improvements
Comment from dpal at 2012-02-10 23:46:51
Fields changed
rhbz: => 0
Comment from dpal at 2012-08-16 23:27:30
Replying to [comment:3 danieljamesscott]:
According to nalin kerberos libraries are smart enough to negotiate the right ticket securely using cross realm referrals without relying on the TXT records.
It might not make sense to add this functionality ever.
Putting in Differed for now.
feature_milestone: =>
milestone: SSSD Kerberos Improvements Feature => SSSD Deferred
proposed_priority: => Undefined
Comment from jhrozek at 2017-02-24 14:43:01
Metadata Update from @jhrozek:
Comment from jhrozek at 2019-08-28 15:40:55
Metadata Update from @jhrozek:
Comment from pbrezina at 2020-03-24 14:23:11
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Comment from pbrezina at 2020-03-24 14:23:12
Metadata Update from @pbrezina:
The text was updated successfully, but these errors were encountered: