Sumit and Alexander, thank you for replies! > Why do you need to add some NetBIOS information?
There is a proprietary audit software for Windows DCs that hijacks information about user login/logoff and to register that user logged in it requires NetBIOS workstation name to be present in the ticket. winbind does it and it works fine with this sofware (as it mimicks Windows behavior). Also, as Alexander mentioned, Samba DCs use it too, so looks like it is a reasonable addition to sssd. And I thought that if I'm implementing NetBIOS names, then not adding support for IP addresses would be strange (same structure used for both), as it can be useful for restricting ticket usage on network. > But if you need lots of extra processing than it might be easier to call > `getifaddrs()` from krb5_child and do the processing directly. There isn't much processing, it filters out loopback/link-local addresses and two protocol versions. I will try to reuse check_ipv4_addr/check_ipv6_addr as they do what I implemented myself and can be configured by flags. I've checked again sss_iface_addr_list_get and it is constrained by fixed filter (check_for_dns) and needs a network interface name. It can be reworked to be universal and maybe accept a filtering function (like check_for_dns) in its arguments. I don't think it is viable, at least for now, to make an universal function for getting addresses. Only dyndns is using this function now. > Afaik nobody asked about proxy ticket until now That's good, because addresses list changes its function as it becomes proxy (but maybe that happens on KDC when it sends it to service, not on client side). I've yet to find someone/something that uses them. > Not sure if the answers your questions but in `make_chpw_options()` > in the MIT Kerberos source code the > KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST flag is unset. It makes a copy of options (k5_gic_opt_shallow_copy), so it shouldn't rewrite options that were passed initially. I couldn't find an exact place where addresses from options become an addresses in krb5_creds, but it seems that somewhere it is not copied and uses the same pointer. And then it deallocated by krb5_free_cred_contents inside krb5_get_init_creds_password. So I think that because k5_gic_opt_shallow_copy reuses address_list pointer it is also caried somewhere to credentials. I'll check that theory and report back. Removing only a flag isn't a problem, especially in a copy, but addresses list needs to be created again in initial options. -- Ivan Korytov [email protected] -- _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
