Learn more about these different git repos.
Other Git URLs
This came up on sssd-devel when discussing one-way trust design. I'm pasting the discussion below:
Another thing to remember is a potential need to limit enctypes you'd be requesting because camellia ciphers are not know to AD and might cause issues at some point.
SSSD should not be in the business of creating keytabs, it should only be allowed to retrieve a precreated key, so SSSD shouldn't care about enctypes, it will get only those that the FreeIPA code stored in the key in LDAP.
So this means ipasam needs to limit enctypes when asking for the keys.
One more message in the thread, by Simo:
Yes it should only ask for encrypts that the AD server on the other side understand, but only for good measure. The key used is alwasy determined by the KDC (AD in this case) so having additional keys in the keytab is not a problem. A problem would rather be to miss enctypes, as the KDC could decide to encode a ticket/TGT in one of the missing enctypes then and we would not be able to decrypt.
Sorry, I meant to file this ticket in the freeipa trac..
resolution: => invalid status: new => closed
Metadata Update from @jhrozek: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3681
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.