On Mon, Apr 27, 2015 at 10:32:03AM +0200, Jakub Hrozek wrote: > Sure, I will add a more explicit note once we agree what the mechanism > would be.
I modified the design page to agree with this discussion: https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&version=10&old_version=9 The changes include: - noted that we fetch all enctypes from IPA and that IPA is responsible for filtering/requesting the right keytabs - note we would prune and fetch the keytabs on restart. If we see during development that this is taking too much time, we can back off. - there is a note that inbound trusts are ignored - there is a note why we're calling ipa-getkeytab explicitly and why we might consider moving to calling the extop ourselves in the future - keytab comparison is spelled out more explicitly (keys are compared) and there is an explicit note that krb5 calls don't hurt because the keytab is owned by the sssd user already. I'll file the per-task tickets now. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel