Skip to content

[RFE] Kerberos canonicalization should be skipped on password-changes in AD provider #2447

New issue
New issue
Closed
Closed
[RFE] Kerberos canonicalization should be skipped on password-changes in AD provider#2447
Labels
Closed: Duplicate
@sssd-bot

Description

@sssd-bot
sssd-bot
opened on May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1405

  • Created at 2012-07-05 14:05:39 by sgallagh
  • Closed as Duplicate
  • Assigned to nobody

Active Directory 2008 R2 has a bug where it will return bad data if a password-change operation is performed with the 'canonicalize' option specified.

We need to handle this appropriately.

The current behavior in the AD provider is to disable canonicalization by default to avoid this issue. SSSD treats this option as global for both auth and chpass operations. This will need to be adjusted as well to address this issue.

Comments

Comment from dpal at 2012-07-05 15:43:47

Fields changed

milestone: NEEDS_TRIAGE => SSSD Kerberos Improvements Feature

Comment from dpal at 2012-07-12 18:56:44

Fields changed

rhbz: => todo

Comment from nalin at 2012-08-17 00:09:03

When we do this, we should take some additional cues from kpasswd: explicitly disabling the forwardable and proxiable flags (in case they're enabled by default in /etc/krb5.conf), setting the renewable lifetime to 0, and requesting a short ticket lifetime (kpasswd uses 5 minutes).

proposed_priority: => Undefined

Comment from dpal at 2012-08-17 00:13:12

Fields changed

proposed_priority: Undefined => Core

Comment from dpal at 2012-09-04 23:20:18

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta

Comment from dpal at 2012-09-04 23:46:02

Fields changed

priority: minor => critical

Comment from dpal at 2012-10-25 14:47:19

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
summary: Kerberos canonicalization should be skipped on password-changes in AD provider => [RFE] Kerberos canonicalization should be skipped on password-changes in AD provider

Comment from sbose at 2012-11-14 16:59:36

Will be handled together with https://fedorahosted.org/sssd/ticket/1615 .

resolution: => duplicate
status: new => closed

Comment from dpal at 2012-11-15 21:31:25

Fields changed

rhbz: todo => 0

Comment from dpal at 2012-12-20 23:31:45

For tickets already closed set the field to "Want"

selected: => Want

Comment from sgallagh at 2017-02-24 14:46:42

Metadata Update from @sgallagh:

  • Issue set to the milestone: SSSD 1.10 beta

Metadata

Metadata

Assignees

No one assigned

    Labels

    Closed: Duplicate

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions