-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2009 09:22 AM, Stephen Gallagher wrote: > On 11/19/2009 07:58 AM, Sumit Bose wrote: >> On Wed, Nov 18, 2009 at 05:13:30PM -0500, Stephen Gallagher wrote: >> On 11/13/2009 09:29 AM, Sumit Bose wrote: >>>>> On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: >>>>> On 11/12/2009 06:46 AM, Sumit Bose wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> this patch add the possibility to validate the credentials obtained >>>>>>>> from >>>>>>>> a Kerberos server with a local keytab. The boolean option krb5_validate >>>>>>>> switches the validation on and off. It is disabled by default in the >>>>>>>> kerberos provider and enabled by default in the IPA provider. >>>>>>>> >>>>>>>> Typically root privileges are needed to read a keytab. As a consequence >>>>>>>> if validation is enabled the privileges cannot be drop before starting >>>>>>>> krb5_child, but only after reading the keytab. >>>>>>>> >>>>>>>> bye, >>>>>>>> Sumit >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> sssd-devel mailing list >>>>>>>> sssd-devel@lists.fedorahosted.org >>>>>>>> https://fedorahosted.org/mailman/listinfo/sssd-devel >>>>> >>>>> Nack. >>>>> >>>>> In the sssd-ipa manpage, I think we should change the "please note" to >>>>> "Please note that this default differs from the traditional kerberos >>>>> provider backend." >>>>> >>>>> I think that referring to the "underlying Kerberos provider" makes it >>>>> unclear. >>>>> >>>>>> done >>>>> >>>>> >>>>> In create_send_buffer(), you assign buf->size based on sizeof(int), but >>>>> you're using uint32_t for the actual data. This is a waste of memory on >>>>> 64-bit integer systems, and a serious error on a 16-bit integer system. >>>>> (Not that we ever expect to support such a system) If you're copying in >>>>> a 32-bit number, please guarantee that the space is allocated for a >>>>> 32-bit number. >>>>> >>>>> >>>>>> done >>>>> >>>>> Please add a comment in fork_child() stating why the value of >>>>> KRB5_VALIDATE dictates whether to assume the user's identity. >>>>> >>>>> >>>>>> done >>>>> >>>>> I think this is a serious error: you're only validating against the >>>>> first entry in the keytab. It's possible for a keytab to have many >>>>> different principals, as well as multiple enctypes for the same >>>>> principal. We need to iterate through all keytab entries and test first >>>>> for the principal we need to validate against and not fail until all >>>>> enctypes for the sought-after principal have been tried. >>>>> >>>>> >>>>>> ok, I look for the first key with a matching realm or try the last one >>>>>> in the keytab file. >>>>> >>>>> get_and_save_tgt(): Again a comment would be nice around become_user() >>>>> noting that it was being done here after being deferred from earlier so >>>>> that we can validate the TGT. >>>>> >>>>>> done >>>>> >>>>> >>>>> General question: if we're moving where become_user() is called, will >>>>> this affect our SELinux policy? >>>>> >>>>> >>>>>> I think it will not affect the policy, because the krb5_child inherits >>>>>> the SELinux labels from the parent, but I will check with Dan. >>>>> >>>>>> bye, >>>>>> Sumit >>>>> > >> Nack. >> If you're adding new options to the SSSDConfig API, please run the >> SSSDConfigTest.py in-tree. You need to update its expected results here >> because you've set an explicit default. > >>> Sorry, I didn't realised that I need to add the options more that once. >>> New version attached. > >>> bye, >>> Sumit > >> _______________________________________________ >> sssd-devel mailing list >> sssd-devel@lists.fedorahosted.org >> https://fedorahosted.org/mailman/listinfo/sssd-devel >>>>>> >>>>>> >> _______________________________________________ >> sssd-devel mailing list >> sssd-devel@lists.fedorahosted.org >> https://fedorahosted.org/mailman/listinfo/sssd-devel > > > Ack. > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel >>> >>> > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel >
Pushed to master. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksGwfYACgkQeiVVYja6o6OthQCeO1EI9auKVS5aCUcszPKDm9Gj 4y8AoISY/i8hIhz950WyAWBG6hOsNLtH =86oi -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel