Re: [SSSD] [PATCH] krb5: do not use enterprise principals for renewals (was: [PATCHES] Fix krb5 ticket renewal)

Tue, 25 Jun 2013 06:24:35 -0700 

On Tue, Jun 25, 2013 at 02:05:52PM +0200, Jakub Hrozek wrote:
> On Tue, Jun 25, 2013 at 11:25:32AM +0200, Sumit Bose wrote:
> > On Mon, Jun 24, 2013 at 06:22:35PM +0200, Jakub Hrozek wrote:
> > > On Mon, Jun 24, 2013 at 04:28:10PM +0100, David Woodhouse wrote:
> > > > On Mon, 2013-06-24 at 17:01 +0200, Jakub Hrozek wrote:
> > > > > On Mon, Jun 24, 2013 at 04:59:33PM +0200, Jakub Hrozek wrote:
> > > > > > On Mon, Jun 24, 2013 at 04:23:46PM +0200, Sumit Bose wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > David Woodhouse identified an issue with Kerberos ticket renewal.
> > > > > > > Attached two patches fix two issues related to the authtok 
> > > > > > > refactoring
> > > > > > > which make renewal for me working again.
> > > > > > > 
> > > > > > > bye,
> > > > > > > Sumit
> > > > > > 
> > > > > > Works for me, too. Ack.
> > > > > 
> > > > > Pushed both to master.
> > > > 
> > > > An improvement, but still not working.
> > > > 
> > > > Firstly I have to revert commit 3438815242464a963c0d3a70f16579723a20b52d
> > > > ("LDAP: Retry SID search based on result of LDAP search, not the return
> > > > code") because otherwise I can't log in at all (I sent logs in private
> > > > mail).
> > > > 
> > > 
> > > The login failure is not related to the commit per se, the commit is
> > > actually correct and gets you further in the login process, but then you
> > > hit the old bug with the referral. I'm still not quite sure why SSSD
> > > decided to contact LDAP there and not the GC.
> > > 
> > > > Then it does actually seem to be *trying* to renew, but I get the
> > > > following:
> > > > 
> > > 
> > > [snip]
> > > 
> > > > FWIW running 'kinit -R' manually does work.
> > > 
> > > As discussed on #sssd, this is a bug in how we renew enterprise
> > > principals.
> > 
> > The attached patch should fix the issue by not using enterprise
> > principals for renewals. David was so kind to test it and gave positive
> > feedback via irc.
> > 
> > bye,
> > Sumit
> 
> The code looks good to me and David confirmed off-list that it fixed his
> issue, too.
> 
> Ack.

Pushed to master.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to