#1405 [RFE] Kerberos canonicalization should be skipped on password-changes in AD provider
Closed: Duplicate None Opened 7 years ago by sgallagh.

Active Directory 2008 R2 has a bug where it will return bad data if a password-change operation is performed with the 'canonicalize' option specified.

We need to handle this appropriately.

The current behavior in the AD provider is to disable canonicalization by default to avoid this issue. SSSD treats this option as global for both auth and chpass operations. This will need to be adjusted as well to address this issue.


Fields changed

milestone: NEEDS_TRIAGE => SSSD Kerberos Improvements Feature

Fields changed

rhbz: => todo

When we do this, we should take some additional cues from kpasswd: explicitly disabling the forwardable and proxiable flags (in case they're enabled by default in /etc/krb5.conf), setting the renewable lifetime to 0, and requesting a short ticket lifetime (kpasswd uses 5 minutes).

proposed_priority: => Undefined

Fields changed

proposed_priority: Undefined => Core

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta

Fields changed

priority: minor => critical

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
summary: Kerberos canonicalization should be skipped on password-changes in AD provider => [RFE] Kerberos canonicalization should be skipped on password-changes in AD provider

Will be handled together with https://fedorahosted.org/sssd/ticket/1615 .

resolution: => duplicate
status: new => closed

Fields changed

rhbz: todo => 0

For tickets already closed set the field to "Want"

selected: => Want

Metadata Update from @sgallagh:
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata