On Mon, 2012-07-09 at 18:00 +0200, Sumit Bose wrote: > On Thu, Jul 05, 2012 at 03:05:37PM -0400, Simo Sorce wrote: > > On Thu, 2012-07-05 at 21:01 +0200, Sumit Bose wrote: > > > On Thu, Jul 05, 2012 at 01:30:02PM -0400, Simo Sorce wrote: > > > > On Thu, 2012-07-05 at 18:51 +0200, Sumit Bose wrote: > > > > > On Thu, Jul 05, 2012 at 09:12:16AM -0400, Simo Sorce wrote: > > > > > > On Thu, 2012-07-05 at 14:06 +0200, Sumit Bose wrote: > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > this patch added the checks requested in ticket #1382 to the PAC > > > > > > > responder. The check itself can be found in the commom responder > > > > > > > code. > > > > > > > It can be used by all responder, but currently only the PAC > > > > > > > responder > > > > > > > uses it. > > > > > > > > > > > > > > I took a quite strict default here, i.e. only root is allowed to > > > > > > > access > > > > > > > the PAC responder by default. Is this too restrictive? > > > > > > > > > > > > > > > > > > > Patch looks good, but I wonder why you do not allow specifying user > > > > > > names, a getpwnam() is not too expensive. > > > > > > > > > > yes, but I think this way is more robust because I expect that someone > > > > > will have some system accounts served by sssd, see e.g. > > > > > https://fedorahosted.org/sssd/ticket/1357 . But if you prefer I can > > > > > add > > > > > a loop with getpwnam() at startup time. > > > > > > > > I think we can express the problems with using usernames in the man > > > > page. > > > > > > > > If this list is generated after the sssd_nss responder is started > > > > though, we should have no issues resolving any name even if sssd itself > > > > provides them (assuming you unset the env variable that prevents loops > > > > in the PAC responder). > > > > > > Ok, then I will change it to accept usernames. Shall it be usernames > > > only or usernames and UIDs (and if the second, what about numerical > > > usernames :-) > > > > Usernames an uids, a numeric only string is always a uid. > > > > ok, new version attached.
Ack. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel