#957 [RFE] Add support to request canonicalization on krb AS requests
Closed: Fixed None Opened 9 years ago by simo.

We should add support to set the canonicalization option with krb5_get_init_creds_opt_set_canonicalize() when asking for a TGT.

We should do that both in get_and_save_tgt_with_keytab() and probably krb5_child_setup()


This should be made available as an option in sssd.conf, defaulting to enabled in the ipa provider. Due to compatibility issues with older servers, it needs to default to false in the krb5 provider.

component: SSSD => Kerberos Provider
milestone: NEEDS_TRIAGE => SSSD 1.7.0
owner: somebody => sgallagh
priority: major => blocker

Fields changed

summary: Add support to request canonicalization on krb AS requests => [RFE] Add support to request canonicalization on krb AS requests
type: defect => enhancement

Fields changed

owner: sgallagh => jzeleny
status: new => assigned

Fields changed

patch: 0 => 1

Simo, does this change need to be implemented in LDAP provider as well?

Replying to [comment:5 jzeleny]:

Simo, does this change need to be implemented in LDAP provider as well?

For initialization of the credentials we have in the keytab ?
We might but it is not critical. We generally have the canonicalized name in the keytab anyway. But it wouldn't hurt.

Fixed by:
- 20c1873
- 7dfc761
- ed80a7f

resolution: => fixed
status: assigned => closed

Metadata Update from @simo:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1999

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata