Investigate adding new options to the Kerberos provider #2010
Assignees
Labels
Closed: Fixed
Issue was closed as fixed.
Comments
This was referenced May 2, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/968
The Kerberos library providers a number of functions to set different options. SSSD should add new Kerberos provider options that allow setting these options where it makes sense. This ticket tracks task to investigate these options.
This is the full list of
krb5_get_init_creds_opt_set_*functions in krb5 1.9.1:I will create individual tickets for new options that SSSD should get.
krb5_get_init_creds_opt_set_canonicalizeis already being tracked in ticket #957.We are already using the following options:
-
krb5_get_init_creds_opt_set_renew_life-
krb5_get_init_creds_opt_set_fast_ccache_name-
krb5_get_init_creds_opt_set_fast_flags-
krb5_get_init_creds_opt_set_expire_callback-
krb5_get_init_creds_opt_set_tkt_lifeI don't think it makes sense to implement the following options in SSSD:
-
krb5_get_init_creds_opt_set_change_password_prompt- handled by SSSD itself-
krb5_get_init_creds_opt_set_out_ccache- functionality provided by krb5_ccachedir and krb5_ccname_template options-
krb5_get_init_creds_opt_set_etype_list- this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_preauth_list- this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_salt- currently seems not to be used anywhere in krb5 1.9. Moreover this seems like something that should be set globally in /etc/krb5.conf-
krb5_get_init_creds_opt_set_fast_ccache- this seems to be used in kpasswd code only in 1.9.So far it seems we might want to add these options:
-
krb5_get_init_creds_opt_set_address_list-
krb5_get_init_creds_opt_set_anonymous-
krb5_get_init_creds_opt_set_forwardable-
krb5_get_init_creds_opt_set_proxiable-
krb5_get_init_creds_opt_set_paComments
Comment from jhrozek at 2011-08-16 13:25:14
Fields changed
type: defect => task
Comment from jhrozek at 2011-08-16 13:26:24
Nalin, does the above seem sane to you? Did I miss anything SSSD might benefit from (or vice versa)?
cc: => nalin
Comment from jhrozek at 2011-08-16 13:26:39
Fields changed
owner: somebody => jhrozek
status: new => assigned
Comment from dpal at 2011-08-18 15:09:05
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.7.0
Comment from jhrozek at 2011-09-20 12:42:58
Nalin provided his valuable feedback via email.
He advised on skipping the
krb5_get_init_creds_opt_set_anonymousoption as we probably won't be requesting it.The
krb5_get_init_creds_opt_set_pawould be required when we support PKINIT as the location of the client's PKI credentials is specified that way.That means we should add the following options:
- krb5_get_init_creds_opt_set_preauth_list - ticket #997
Because each of the new options is now being tracked in a separate ticket, I'm closing this task.
resolution: => fixed
status: assigned => closed
Comment from sgallagh at 2012-01-30 22:07:15
Fields changed
rhbz: => 0
Comment from jhrozek at 2017-02-24 14:41:46
Metadata Update from @jhrozek:
The text was updated successfully, but these errors were encountered: