On Thu, Aug 06, 2015 at 12:46:09PM +0200, Jakub Hrozek wrote:
> On Thu, Aug 06, 2015 at 12:23:47PM +0200, Pavel Březina wrote:
> > On 08/04/2015 06:18 PM, Jakub Hrozek wrote:
> > >On Tue, Aug 04, 2015 at 10:17:58AM +0300, Alexander Bokovoy wrote:
> > >>On Mon, 03 Aug 2015, Christian Heimes wrote:
> > >>>On 2015-07-31 18:19, Sumit Bose wrote:
> > >>>>On Fri, Jul 31, 2015 at 11:34:23AM +0200, Sumit Bose wrote:
> > >>>>>Hi,
> > >>>>>
> > >>>>>it turned out that some of the current SSSD behaviour does not fit well
> > >>>>>if a KDC proxy is configured, see
> > >>>>>https://fedorahosted.org/sssd/ticket/2652 and
> > >>>>>https://fedorahosted.org/sssd/ticket/2700 for details.
> > >>>>>
> > >>>>>The first patch in this series introduces a new call which checks if a
> > >>>>>KDC proxy is configured as suggested in the tickets. The other two
> > >>>>>patches aim to fix the respective ticket.
> > >>>>>
> > >>>>>bye,
> > >>>>>Sumit
> > >>>>
> > >>>>Please find attached a new version of the patches. They fix a memory
> > >>>>leak found by Christian in the first patch and contain a different
> > >>>>version of the third patch because the original version didn't fix the
> > >>>>issue Alexander was seeing. There is only a minor change compared to the
> > >>>>version Alexander tested, krb5.conf is not checked unconditionally but
> > >>>>only if the state is offline.
> > >>>>
> > >>>>There was another comment by Christian on irc. Currently the patches
> > >>>>only check the kdc config entry. In theory if would be possible that for
> > >>>>the kdc a direct connection is used while the admin_server is configured
> > >>>>via a proxy. Since this is expected to be an un-common configuration I
> > >>>>hope it can be added later. To solve this I think
> > >>>>sss_krb5_realm_has_proxy() should get a second option indication if kdc
> > >>>>or admin_server should be checked. Depending on the type of request,
> > >>>>(pre-)auth or change password, or info file, kdcinfo or kpasswdinfo,
> > >>>>sss_krb5_realm_has_proxy() should be called with the matching option.
> > >>>
> > >>>sss_krb5_realm_has_proxy() looks good to me. IMHO it's fine to just
> > >>>check kdc for https for now.
> > >>I agree.
> > >>
> > >>I would start with this patchset and then improve on it sequentially.
> > >
> > >I would like to squash these changes to the first patch since Sumit is
> >
> > Go ahead. But it looks like there is some indentation error?
>
> Thanks, must be tabs-vs-spaces.
* master:
* 67c68b563e1afc409aeadbcc828f9bdf33c57c84
* 05ed6a29cbd3cbec177364487a2afeade51d6546
* 7bb9ba8688ec1ca930d693eea05e936bc38f6d1b
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
