[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals frozencemetery commented: """ > thanks for the effort. What would be your suggestion for the way forward? We > can add a configure check if the new functions are alre

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals frozencemetery commented: """ The krb5 PR has merged upstream. For convenience, I've backported the two functions to Fedora rawhide starting in krb5-1.19-0.beta2.3.fc3

[SSSD] [sssd PR#5464][comment] BUILD: Accept krb5 1.19 for building the PAC plugin

URL: https://github.com/SSSD/sssd/pull/5464 Title: #5464: BUILD: Accept krb5 1.19 for building the PAC plugin frozencemetery commented: """ Thanks for checking. It was not my intent to indicate strong opposition, merely to raise the question. It sounds like SSSD is

[SSSD] [sssd PR#5464][comment] BUILD: Accept krb5 1.19 for building the PAC plugin

URL: https://github.com/SSSD/sssd/pull/5464 Title: #5464: BUILD: Accept krb5 1.19 for building the PAC plugin frozencemetery commented: """ Thanks for checking. It was not my intent to indicate strong opposition, merely to raise the question. It sounds like SSSD is

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals frozencemetery commented: """ Hi, you've written "fixed" below several things, but the code isn't change. Are you missing a push? """ See

[SSSD] [sssd PR#5464][comment] BUILD: Accept krb5 1.19 for building the PAC plugin

URL: https://github.com/SSSD/sssd/pull/5464 Title: #5464: BUILD: Accept krb5 1.19 for building the PAC plugin frozencemetery commented: """ Understood, but... right now all that happens is sssd fails to build until someone goes and looks. I can try to remember that you

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals frozencemetery commented: """ (krb5 discussion PR: https://github.com/krb5/krb5/pull/1153 ) """ See the full comment at https://github.com/SSSD/sssd/pu

[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals

URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals frozencemetery commented: """ (I'll want to review this once it passes CI.) """ See the full comment at https://github.com/SSSD/ss

[SSSD] [sssd PR#5407][comment] kcm: check socket path loaded from configuration

URL: https://github.com/SSSD/sssd/pull/5407 Title: #5407: kcm: check socket path loaded from configuration frozencemetery commented: """ Thanks! """ See the full comment at https://github.com/SSSD/sssd/pull/5407#issuecomment-733217119

[SSSD] [sssd PR#5407][comment] kcm: check socket path loaded from configuration

URL: https://github.com/SSSD/sssd/pull/5407 Title: #5407: kcm: check socket path loaded from configuration frozencemetery commented: """ The idea behind failing fast is that it's very clear to the admin that it's broken. But some projects don't like that :

[SSSD] [sssd PR#5407][comment] kcm: check socket path loaded from configuration

URL: https://github.com/SSSD/sssd/pull/5407 Title: #5407: kcm: check socket path loaded from configuration frozencemetery commented: """ (1) seems good - this is what krb5 does (minus the logging).' (2) seems bad. Admin configuration shouldn't be overridden. If it

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ > the patches are not yet ready to be reviewed again. Okay, just ping me when you want another review and I'll take a look. "

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ I have started review though this is large and will take a bit. Though on that subject: this is a fairly sizable change, and I don

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ (I plan to review this once CI passes.) """ See the full comment at https://github.com/SSSD/sssd/pu

[SSSD] [sssd PR#904][comment] KCM: Set kdc_offset to zero initially

URL: https://github.com/SSSD/sssd/pull/904 Title: #904: KCM: Set kdc_offset to zero initially frozencemetery commented: """ Thanks for your patience while I was PTO. In the abstract, I think that 0 makes a lot more sense as an "unset" value than INT32_MAX :) rhbz#17

[SSSD] [sssd PR#883][comment] Minor fixes to util/sss_krb5

URL: https://github.com/SSSD/sssd/pull/883 Title: #883: Minor fixes to util/sss_krb5 frozencemetery commented: """ Yes, of course I object! You're claiming a double free; there's no double free. You haven't found a security bug; you've found nothing a

[SSSD] [sssd PR#883][comment] Minor fixes to util/sss_krb5

URL: https://github.com/SSSD/sssd/pull/883 Title: #883: Minor fixes to util/sss_krb5 frozencemetery commented: """ I'm kind of confused that you think that, since we pretty clearly disagree: you claim that you've found a double-free, and I'm telling you that

[SSSD] [sssd PR#838][comment] FIPS140 compliant usage of PRNG

URL: https://github.com/SSSD/sssd/pull/838 Title: #838: FIPS140 compliant usage of PRNG frozencemetery commented: """ In the FIPS case, you need to fail if RAND_bytes() fails; otherwise you're noncompliant. If you want to use that in non-FIPS as well, I don't kn

[SSSD] [sssd PR#838][comment] FIPS140 compliant usage of PRNG

URL: https://github.com/SSSD/sssd/pull/838 Title: #838: FIPS140 compliant usage of PRNG frozencemetery commented: """ IMO, you should be using `getrandom()` (with no flags) in preference to srand, or reading /dev/[u]random, etc. You're guaranteed to have getrandom from

[SSSD] [sssd PR#415][comment] Revert "IPA: Only generate kdcinfo files on clients"

URL: https://github.com/SSSD/sssd/pull/415 Title: #415: Revert "IPA: Only generate kdcinfo files on clients" frozencemetery commented: """ Yeah, this is an alright workaround for now. I do plan to fix this misbehavior in krb5, but you should do this in the meantime.

[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet

URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet frozencemetery commented: """ @fidencio I don't know the codebase well enough to give ack, sorry (just to complain about krb5 bits 😄). """ See the full

[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet

URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet frozencemetery commented: """ @fidencio it looks like it's been addressed. Thanks for checking! """ See the full comment at https://github.com/SSSD/s

[SSSD] [sssd PR#331][comment] KCM: temporary increase hardcoded buffers

URL: https://github.com/SSSD/sssd/pull/331 Title: #331: KCM: temporary increase hardcoded buffers frozencemetery commented: """ Per @simo5's comments in the linked bug, tickets can easily reach 65k, so this limit should maybe be higher. """ See the full

[SSSD] [sssd PR#214][comment] UTIL: Set udp_preference_limit=0 in krb5 snippet

URL: https://github.com/SSSD/sssd/pull/214 Title: #214: UTIL: Set udp_preference_limit=0 in krb5 snippet frozencemetery commented: """ I read the associated bug as suggesting doing this only when using AD, but this patch does it unconditionally. I would prefer not doing this