#1906 Investigate the check for principal equality in krb5_auth.c
Closed: Invalid None Opened 6 years ago by jhrozek.

The Kerberos authentication code checks if the principal the krb5_child returns is the same as the authentication code would expect, typically in the form of user@REALM. However, this may break in cases enterprise principals are used. The current code works around the check by only enabling it when the enterprise principals are off, but we should investigate a better way.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0

Fields changed

milestone: SSSD 1.10 beta => SSSD 1.10.0

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10.1

Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.

Moving tickets that didn't make 1.10.1 to 1.10.2

milestone: SSSD 1.10.1 => SSSD 1.10.2

The check was amended in several patches including b2d7810 or 42084c0. We are not aware of any other issues related to the check for UPN correctness, so it's OK to close this ticket.

changelog: =>
resolution: => worksforme
status: new => closed

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.10.2

2 years ago

Login to comment on this ticket.