[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-16 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5367 * `master` * d09aa174b04a825979f31c61b05239de088a732f - pam: add pam_sss_gss module for gssapi authent

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-11 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ The rawhide failure is expected and the rhel8 failure is due to an issue in the CI runner. """ See the full comment at https://github.com/SSSD/sssd/pull/53

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-11 Thread Gundersanne
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication Gundersanne commented: """ Hai, So cockpit's perspective to this patch as I understand it: Cockpit would build an s4u ccache using gssapi. This means that the ccache we'd use has th

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-11 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ Hi, thanks for your patience, ACK. I will set the label when the CI checks are done. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/p

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-11 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ Thank you. Here's a diff: ```diff diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml index d4bb705e3..ce5b11bff 100644 --- a/src/man/pam_sss_gs

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-11 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ Hi, thanks for the updates, all my tests are working well. There is a missing `` in the pam_sss_gss man page. I like the idea using `-` to unset an option,

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-10 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ Please, see new changes. 1. Only canonical UPN is returned and it is used only as a hint - if we fail to obtain credentials for the principal we try again an

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-07 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ We can read user's UPN and send it to the PAM module, then request credentials for this principal in `gss_acquire_cred_from`. This should resolve both concern

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-04 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ > > A related item are ccache types which can handle multiple TGTs. Currently > > the 'active' TGT is used and if the PAM responder would check if the > >

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-04 Thread abbra
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication abbra commented: """ > While testing I came across a behavior which can be a bug or a feature and we > should decide how to handle and/or document it. > > Currently authentication wi

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-12-04 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ > KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap > rules). And I > [asked](https://www.sudo.ws/pipermail/sudo-workers/2020-Novemb

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-30 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ KRB5CCNAME is now respected, if it is set in env_keep in sudoers (or ldap rules). And I [asked](https://www.sudo.ws/pipermail/sudo-workers/2020-November/00130

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-27 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ > No, if I put getenv directly in the module it is empty unless it is > whitelisted in env_keep. Ok, thanks, good to know that /proc/PID/environ might not c

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-27 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ No, if I put getenv directly in the module it is empty unless it is whitelisted in env_keep. """ See the full comment at https://github.com/SSSD/sssd/pull/53

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-26 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ > > while testing this PR it looks like `KRB5CCNAME` is not respected. If there > > user uses a different ccache type as defined in `/etc/krb5.conf` or if wi

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-26 Thread abbra
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication abbra commented: """ You can pass `ccache` in client creds store you pass to `gss_acquire_cred_from()`. You are already using `keytab` there, passing `ccache` will make use of the cc

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-26 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ > while testing this PR it looks like `KRB5CCNAME` is not respected. If there > user uses a different ccache type as defined in `/etc/krb5.conf` or if with >

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-11-25 Thread sumit-bose
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication sumit-bose commented: """ Hi, while testing this PR it looks like `KRB5CCNAME` is not respected. If there user uses a different ccache type as defined in `/etc/krb5.conf` or if with

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-29 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ It's ready for next round. The remaining question is about the proper flag for gssapi otherwise I answered or resolved everything. The issues were mostly cosm

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-28 Thread frozencemetery
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ > the patches are not yet ready to be reviewed again. Okay, just ping me when you want another review and I'll take a look. """ See the full comment at

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-27 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ Github hide lots of "conversations" from me so there are many unsolved issues so the patches are not yet ready to be reviewed again. """ See the full comment

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-27 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ Pathes were updated. """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-717188997 ___

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-27 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ > Though on that subject: this is a fairly sizable change, and I don't see > anything in the way of tests for it. Have I missed something? We don't currently

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-20 Thread frozencemetery
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ I have started review though this is large and will take a bit. Though on that subject: this is a fairly sizable change, and I don't see anything in the

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-16 Thread pbrezina
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication pbrezina commented: """ Thank you. Tests pass, rhel7 and rhel8 failures are not related (infrastructure issues). """ See the full comment at https://github.com/SSSD/sssd/pull/5367#i

[SSSD] [sssd PR#5367][comment] pam: add pam_sss_gss module for gssapi authentication

2020-10-15 Thread frozencemetery
URL: https://github.com/SSSD/sssd/pull/5367 Title: #5367: pam: add pam_sss_gss module for gssapi authentication frozencemetery commented: """ (I plan to review this once CI passes.) """ See the full comment at https://github.com/SSSD/sssd/pull/5367#issuecomment-709594169 __