On Thu, Aug 06, 2015 at 12:46:09PM +0200, Jakub Hrozek wrote: > On Thu, Aug 06, 2015 at 12:23:47PM +0200, Pavel Březina wrote: > > On 08/04/2015 06:18 PM, Jakub Hrozek wrote: > > >On Tue, Aug 04, 2015 at 10:17:58AM +0300, Alexander Bokovoy wrote: > > >>On Mon, 03 Aug 2015, Christian Heimes wrote: > > >>>On 2015-07-31 18:19, Sumit Bose wrote: > > >>>>On Fri, Jul 31, 2015 at 11:34:23AM +0200, Sumit Bose wrote: > > >>>>>Hi, > > >>>>> > > >>>>>it turned out that some of the current SSSD behaviour does not fit well > > >>>>>if a KDC proxy is configured, see > > >>>>>https://fedorahosted.org/sssd/ticket/2652 and > > >>>>>https://fedorahosted.org/sssd/ticket/2700 for details. > > >>>>> > > >>>>>The first patch in this series introduces a new call which checks if a > > >>>>>KDC proxy is configured as suggested in the tickets. The other two > > >>>>>patches aim to fix the respective ticket. > > >>>>> > > >>>>>bye, > > >>>>>Sumit > > >>>> > > >>>>Please find attached a new version of the patches. They fix a memory > > >>>>leak found by Christian in the first patch and contain a different > > >>>>version of the third patch because the original version didn't fix the > > >>>>issue Alexander was seeing. There is only a minor change compared to the > > >>>>version Alexander tested, krb5.conf is not checked unconditionally but > > >>>>only if the state is offline. > > >>>> > > >>>>There was another comment by Christian on irc. Currently the patches > > >>>>only check the kdc config entry. In theory if would be possible that for > > >>>>the kdc a direct connection is used while the admin_server is configured > > >>>>via a proxy. Since this is expected to be an un-common configuration I > > >>>>hope it can be added later. To solve this I think > > >>>>sss_krb5_realm_has_proxy() should get a second option indication if kdc > > >>>>or admin_server should be checked. Depending on the type of request, > > >>>>(pre-)auth or change password, or info file, kdcinfo or kpasswdinfo, > > >>>>sss_krb5_realm_has_proxy() should be called with the matching option. > > >>> > > >>>sss_krb5_realm_has_proxy() looks good to me. IMHO it's fine to just > > >>>check kdc for https for now. > > >>I agree. > > >> > > >>I would start with this patchset and then improve on it sequentially. > > > > > >I would like to squash these changes to the first patch since Sumit is > > > > Go ahead. But it looks like there is some indentation error? > > Thanks, must be tabs-vs-spaces.
* master: * 67c68b563e1afc409aeadbcc828f9bdf33c57c84 * 05ed6a29cbd3cbec177364487a2afeade51d6546 * 7bb9ba8688ec1ca930d693eea05e936bc38f6d1b _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel