You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Kerberos library providers a number of functions to set different options. SSSD should add new Kerberos provider options that allow setting these options where it makes sense. This ticket tracks task to investigate these options.
This is the full list of krb5_get_init_creds_opt_set_* functions in krb5 1.9.1:
I will create individual tickets for new options that SSSD should get.
krb5_get_init_creds_opt_set_canonicalize is already being tracked in ticket #957.
We are already using the following options:
- krb5_get_init_creds_opt_set_renew_life
- krb5_get_init_creds_opt_set_fast_ccache_name
- krb5_get_init_creds_opt_set_fast_flags
- krb5_get_init_creds_opt_set_expire_callback
- krb5_get_init_creds_opt_set_tkt_life
I don't think it makes sense to implement the following options in SSSD:
- krb5_get_init_creds_opt_set_change_password_prompt - handled by SSSD itself
- krb5_get_init_creds_opt_set_out_ccache - functionality provided by krb5_ccachedir and krb5_ccname_template options
- krb5_get_init_creds_opt_set_etype_list - this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_preauth_list - this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_salt - currently seems not to be used anywhere in krb5 1.9. Moreover this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_fast_ccache - this seems to be used in kpasswd code only in 1.9.
So far it seems we might want to add these options:
- krb5_get_init_creds_opt_set_address_list
- krb5_get_init_creds_opt_set_anonymous
- krb5_get_init_creds_opt_set_forwardable
- krb5_get_init_creds_opt_set_proxiable
- krb5_get_init_creds_opt_set_pa
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/968
The Kerberos library providers a number of functions to set different options. SSSD should add new Kerberos provider options that allow setting these options where it makes sense. This ticket tracks task to investigate these options.
This is the full list of
krb5_get_init_creds_opt_set_*
functions in krb5 1.9.1:I will create individual tickets for new options that SSSD should get.
krb5_get_init_creds_opt_set_canonicalize
is already being tracked in ticket #957.We are already using the following options:
-
krb5_get_init_creds_opt_set_renew_life
-
krb5_get_init_creds_opt_set_fast_ccache_name
-
krb5_get_init_creds_opt_set_fast_flags
-
krb5_get_init_creds_opt_set_expire_callback
-
krb5_get_init_creds_opt_set_tkt_life
I don't think it makes sense to implement the following options in SSSD:
-
krb5_get_init_creds_opt_set_change_password_prompt
- handled by SSSD itself-
krb5_get_init_creds_opt_set_out_ccache
- functionality provided by krb5_ccachedir and krb5_ccname_template options-
krb5_get_init_creds_opt_set_etype_list
- this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_preauth_list
- this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_salt
- currently seems not to be used anywhere in krb5 1.9. Moreover this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_fast_ccache
- this seems to be used in kpasswd code only in 1.9.So far it seems we might want to add these options:
-
krb5_get_init_creds_opt_set_address_list
-
krb5_get_init_creds_opt_set_anonymous
-
krb5_get_init_creds_opt_set_forwardable
-
krb5_get_init_creds_opt_set_proxiable
-
krb5_get_init_creds_opt_set_pa
Comments
Comment from jhrozek at 2011-08-16 13:25:14
Fields changed
type: defect => task
Comment from jhrozek at 2011-08-16 13:26:24
Nalin, does the above seem sane to you? Did I miss anything SSSD might benefit from (or vice versa)?
cc: => nalin
Comment from jhrozek at 2011-08-16 13:26:39
Fields changed
owner: somebody => jhrozek
status: new => assigned
Comment from dpal at 2011-08-18 15:09:05
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.7.0
Comment from jhrozek at 2011-09-20 12:42:58
Nalin provided his valuable feedback via email.
He advised on skipping the
krb5_get_init_creds_opt_set_anonymous
option as we probably won't be requesting it.The
krb5_get_init_creds_opt_set_pa
would be required when we support PKINIT as the location of the client's PKI credentials is specified that way.That means we should add the following options:
- krb5_get_init_creds_opt_set_preauth_list - ticket #997
Because each of the new options is now being tracked in a separate ticket, I'm closing this task.
resolution: => fixed
status: assigned => closed
Comment from sgallagh at 2012-01-30 22:07:15
Fields changed
rhbz: => 0
Comment from jhrozek at 2017-02-24 14:41:46
Metadata Update from @jhrozek:
The text was updated successfully, but these errors were encountered: