Learn more about these different git repos.
Other Git URLs
Often with AD a Kerberos host keytab is needed to bind with SASL/GSSAPI for LDAP operations. On many sites security policies do not allow never-expiring passwords so the keytab needs to renewed eventually, currently requiring manual steps to obtain a new keytab.
SSSD should support automated renewal of Kerberos host keytabs as Samba/Winbind does.
I suggest putting this into deferred or close it, since it is being planned as an independent project. This project should be completed within a year.
milestone: NEEDS_TRIAGE => SSSD 1.9.0
milestone: SSSD 1.9.0 => SSSD Kerberos improvements
rhbz: => 0
proposed_priority: => Core
rhbz: 0 => todo
summary: RFE: Support Automatic Renewing of Kerberos Host Keytabs => [RFE] Support Automatic Renewing of Kerberos Host Keytabs
Moving all the features planned for 1.10 release into 1.10 beta.
milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta
priority: major => critical
Couple notes though based on the discussion we had about Ondrej's project
1. The code of the project should be integrated into the SSSD code base
2. Instead of threads it should follow the same tevent style as everything else
3. It should work against MIT KDC, IPA or AD. To do that it should use kerberos protocol rather than an LDAP extended operation.
Please add if I missed something.
Also See https://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx?Redirected=true for more details.
cc: => okos
Additional comments based on my notes:
One other use case came up on the list: https://www.redhat.com/archives/freeipa-devel/2012-September/msg00279.html
It should be possible to point SSSD to a keytab that is for the service and not for the host.
SSSD should be able to rotate it even if it is not configured for other uses. Effectively this means that this functionality should be treated as a separately installable RPM.
Also when the keytab is rotated we should probably restart GSS proxy if it is configured and running.
owner: somebody => okos
status: new => assigned
design_review: => 0
selected: => May
priority: critical => major
Also needs to keep the previous keytabs
review: => 1
milestone: SSSD 1.10 beta => SSSD 1.11 beta
owner: okos => somebody
status: assigned => new
milestone: SSSD 1.12 beta => Interim Bucket
milestone: Interim Bucket => SSSD 1.12 beta
milestone: SSSD 1.12 beta => SSSD 1.13 beta
mark: => 0
Still makes sense, but still out of scope..
milestone: SSSD 1.13 beta => SSSD 1.13 backlog
In ticket #2220, Sumit proposed using msktutil for that:
msktutil https://code.google.com/p/msktutil/ is a tool for manage keytabs
and computer accounts from AD. We might want to integrate it for keytab renewals
like we use nsupdate for dynamic DNS updates.
Mass-moving tickets not planned for the 1.13 release to 1.14
milestone: SSSD 1.13 backlog => SSSD 1.14 beta
Looks like development is currently happening on sourceforge http://sourceforge.net/projects/msktutil/ .
I created a copr repo with a recent version of msktutil at https://copr.fedoraproject.org/coprs/sbose/msktutil/ .
sensitive: => 0
cc: okos =>
milestone: SSSD 1.14 beta => SSSD 1.13.4
owner: somebody => sbose
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1290761
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1290761 1290761]
patch: 0 => 1
resolution: => fixed
status: new => closed
Metadata Update from @myllynen:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.