URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5367
* `master`
* d09aa174b04a825979f31c61b05239de088a732f - pam: add pam_sss_gss module
for gssapi authent
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
The rawhide failure is expected and the rhel8 failure is due to an issue in the
CI runner.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/53
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
Gundersanne commented:
"""
Hai,
So cockpit's perspective to this patch as I understand it:
Cockpit would build an s4u ccache using gssapi. This means that the ccache we'd
use has th
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
Hi,
thanks for your patience, ACK. I will set the label when the CI checks are done.
bye,
Sumit
"""
See the full comment at
https://github.com/SSSD/sssd/p
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
Thank you. Here's a diff:
```diff
diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml
index d4bb705e3..ce5b11bff 100644
--- a/src/man/pam_sss_gs
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
Hi,
thanks for the updates, all my tests are working well. There is a missing
`` in the pam_sss_gss man page.
I like the idea using `-` to unset an option,
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
Please, see new changes.
1. Only canonical UPN is returned and it is used only as a hint - if we fail
to obtain credentials for the principal we try again an
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
We can read user's UPN and send it to the PAM module, then request credentials
for this principal in `gss_acquire_cred_from`. This should resolve both
concern
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
> > A related item are ccache types which can handle multiple TGTs. Currently
> > the 'active' TGT is used and if the PAM responder would check if the
> >
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
abbra commented:
"""
> While testing I came across a behavior which can be a bug or a feature and we
> should decide how to handle and/or document it.
>
> Currently authentication wi
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
> KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap
> rules). And I
> [asked](https://www.sudo.ws/pipermail/sudo-workers/2020-Novemb
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap
rules). And I
[asked](https://www.sudo.ws/pipermail/sudo-workers/2020-November/00130
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
> No, if I put getenv directly in the module it is empty unless it is
> whitelisted in env_keep.
Ok, thanks, good to know that /proc/PID/environ might not c
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
No, if I put getenv directly in the module it is empty unless it is whitelisted
in env_keep.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/53
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
> > while testing this PR it looks like `KRB5CCNAME` is not respected. If there
> > user uses a different ccache type as defined in `/etc/krb5.conf` or if wi
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
abbra commented:
"""
You can pass `ccache` in client creds store you pass to
`gss_acquire_cred_from()`. You are already using `keytab` there, passing
`ccache` will make use of the cc
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
> while testing this PR it looks like `KRB5CCNAME` is not respected. If there
> user uses a different ccache type as defined in `/etc/krb5.conf` or if with
>
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
sumit-bose commented:
"""
Hi,
while testing this PR it looks like `KRB5CCNAME` is not respected. If there
user uses a different ccache type as defined in `/etc/krb5.conf` or if with
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
It's ready for next round. The remaining question is about the proper flag for
gssapi otherwise I answered or resolved everything. The issues were mostly
cosm
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
frozencemetery commented:
"""
> the patches are not yet ready to be reviewed again.
Okay, just ping me when you want another review and I'll take a look.
"""
See the full comment at
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
Github hide lots of "conversations" from me so there are many unsolved issues
so the patches are not yet ready to be reviewed again.
"""
See the full comment
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
Pathes were updated.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5367#issuecomment-717188997
___
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
> Though on that subject: this is a fairly sizable change, and I don't see
> anything in the way of tests for it. Have I missed something?
We don't currently
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
frozencemetery commented:
"""
I have started review though this is large and will take a bit.
Though on that subject: this is a fairly sizable change, and I don't see
anything in the
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
pbrezina commented:
"""
Thank you. Tests pass, rhel7 and rhel8 failures are not related (infrastructure
issues).
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5367#i
URL: https://github.com/SSSD/sssd/pull/5367
Title: #5367: pam: add pam_sss_gss module for gssapi authentication
frozencemetery commented:
"""
(I plan to review this once CI passes.)
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5367#issuecomment-709594169
__
26 matches
Mail list logo