-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2009 07:58 AM, Sumit Bose wrote: > On Wed, Nov 18, 2009 at 05:13:30PM -0500, Stephen Gallagher wrote: > On 11/13/2009 09:29 AM, Sumit Bose wrote: >>>> On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: >>>> On 11/12/2009 06:46 AM, Sumit Bose wrote: >>>>>>> Hi, >>>>>>> >>>>>>> this patch add the possibility to validate the credentials obtained from >>>>>>> a Kerberos server with a local keytab. The boolean option krb5_validate >>>>>>> switches the validation on and off. It is disabled by default in the >>>>>>> kerberos provider and enabled by default in the IPA provider. >>>>>>> >>>>>>> Typically root privileges are needed to read a keytab. As a consequence >>>>>>> if validation is enabled the privileges cannot be drop before starting >>>>>>> krb5_child, but only after reading the keytab. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> sssd-devel mailing list >>>>>>> sssd-devel@lists.fedorahosted.org >>>>>>> https://fedorahosted.org/mailman/listinfo/sssd-devel >>>> >>>> Nack. >>>> >>>> In the sssd-ipa manpage, I think we should change the "please note" to >>>> "Please note that this default differs from the traditional kerberos >>>> provider backend." >>>> >>>> I think that referring to the "underlying Kerberos provider" makes it >>>> unclear. >>>> >>>>> done >>>> >>>> >>>> In create_send_buffer(), you assign buf->size based on sizeof(int), but >>>> you're using uint32_t for the actual data. This is a waste of memory on >>>> 64-bit integer systems, and a serious error on a 16-bit integer system. >>>> (Not that we ever expect to support such a system) If you're copying in >>>> a 32-bit number, please guarantee that the space is allocated for a >>>> 32-bit number. >>>> >>>> >>>>> done >>>> >>>> Please add a comment in fork_child() stating why the value of >>>> KRB5_VALIDATE dictates whether to assume the user's identity. >>>> >>>> >>>>> done >>>> >>>> I think this is a serious error: you're only validating against the >>>> first entry in the keytab. It's possible for a keytab to have many >>>> different principals, as well as multiple enctypes for the same >>>> principal. We need to iterate through all keytab entries and test first >>>> for the principal we need to validate against and not fail until all >>>> enctypes for the sought-after principal have been tried. >>>> >>>> >>>>> ok, I look for the first key with a matching realm or try the last one >>>>> in the keytab file. >>>> >>>> get_and_save_tgt(): Again a comment would be nice around become_user() >>>> noting that it was being done here after being deferred from earlier so >>>> that we can validate the TGT. >>>> >>>>> done >>>> >>>> >>>> General question: if we're moving where become_user() is called, will >>>> this affect our SELinux policy? >>>> >>>> >>>>> I think it will not affect the policy, because the krb5_child inherits >>>>> the SELinux labels from the parent, but I will check with Dan. >>>> >>>>> bye, >>>>> Sumit >>>> > > Nack. > If you're adding new options to the SSSDConfig API, please run the > SSSDConfigTest.py in-tree. You need to update its expected results here > because you've set an explicit default. > >> Sorry, I didn't realised that I need to add the options more that once. >> New version attached. > >> bye, >> Sumit > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel >>>>> >>>>> > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel >
Ack. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel >> >> _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksFVL4ACgkQeiVVYja6o6MkdQCgq92O83Qq8IO0UXKYqL/D6rrk fUwAnROWCD5JNv4lIuuZfyikxC+Ni1l9 =xMcQ -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel