SSSD / sssd

Clone

614057e krb5: disable enterprise principals during password changes

1 file Authored by sbose 7 years ago, Committed by jhrozek 7 years ago,
raw patch tree parent
1 file changed. 2 lines added. 1 lines removed.
src/providers/krb5/krb5_child_handler.c
file modified
+2 -1 
    krb5: disable enterprise principals during password changes
    
    Currently using enterprise principals during password changes does not
    work reliable.
    
    First there is a special behavior if canonicalization, which in general
    should be used together with enterprise principals, is enabled with AD,
    see https://pagure.io/SSSD/sssd/issue/1405 and
    https://pagure.io/SSSD/sssd/issue/1615 for details. As a result of this
    SSSD currently disables canonicalization during password changes.
    
    Additionally it looks like MIT Kerberos does not handle canonicalized
    principals well, even if canonicalization is enabled, if not the default
    krbtgt/REALM@REALM but kadmin/changepw@REALM is requested. Since it is
    currently not clear what is the expected behavior here it make sense to
    completely disable enterprise principals during password changes for the
    time being.
    
    Resolves https://pagure.io/SSSD/sssd/issue/3426
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
file modified
+2 -1
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.