On Tue, 28 Apr 2015, Jakub Hrozek wrote:
On Mon, Apr 27, 2015 at 10:32:03AM +0200, Jakub Hrozek wrote:
Sure, I will add a more explicit note once we agree what the mechanism
would be.
I modified the design page to agree with this discussion:
https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&version=10&old_version=9
The changes include:
- noted that we fetch all enctypes from IPA and that IPA is
responsible for filtering/requesting the right keytabs
- note we would prune and fetch the keytabs on restart. If we see
during development that this is taking too much time, we can back
off.
- there is a note that inbound trusts are ignored
- there is a note why we're calling ipa-getkeytab explicitly and why
we might consider moving to calling the extop ourselves in the
future
- keytab comparison is spelled out more explicitly (keys are
compared) and there is an explicit note that krb5 calls don't
hurt because the keytab is owned by the sssd user already.
I'll file the per-task tickets now.
ACK. Do you need FreeIPA tickets too? Just file them as well.
--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel