#968 Investigate adding new options to the Kerberos provider
Closed: Fixed None Opened 9 years ago by jhrozek.

The Kerberos library providers a number of functions to set different options. SSSD should add new Kerberos provider options that allow setting these options where it makes sense. This ticket tracks task to investigate these options.

This is the full list of krb5_get_init_creds_opt_set_* functions in krb5 1.9.1:


I will create individual tickets for new options that SSSD should get.

krb5_get_init_creds_opt_set_canonicalize is already being tracked in ticket #957.

We are already using the following options:
- krb5_get_init_creds_opt_set_renew_life
- krb5_get_init_creds_opt_set_fast_ccache_name
- krb5_get_init_creds_opt_set_fast_flags
- krb5_get_init_creds_opt_set_expire_callback
- krb5_get_init_creds_opt_set_tkt_life

I don't think it makes sense to implement the following options in SSSD:
- krb5_get_init_creds_opt_set_change_password_prompt - handled by SSSD itself
- krb5_get_init_creds_opt_set_out_ccache - functionality provided by krb5_ccachedir and krb5_ccname_template options
- krb5_get_init_creds_opt_set_etype_list - this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_preauth_list - this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_salt - currently seems not to be used anywhere in krb5 1.9. Moreover this seems like something that should be set globally in /etc/krb5.conf
- krb5_get_init_creds_opt_set_fast_ccache - this seems to be used in kpasswd code only in 1.9.

So far it seems we might want to add these options:
- krb5_get_init_creds_opt_set_address_list
- krb5_get_init_creds_opt_set_anonymous
- krb5_get_init_creds_opt_set_forwardable
- krb5_get_init_creds_opt_set_proxiable
- krb5_get_init_creds_opt_set_pa

Fields changed

type: defect => task

Nalin, does the above seem sane to you? Did I miss anything SSSD might benefit from (or vice versa)?

cc: => nalin

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.7.0

Nalin provided his valuable feedback via email.

He advised on skipping the krb5_get_init_creds_opt_set_anonymous option as we probably won't be requesting it.

The krb5_get_init_creds_opt_set_pa would be required when we support PKINIT as the location of the client's PKI credentials is specified that way.

That means we should add the following options:
- krb5_get_init_creds_opt_set_preauth_list - ticket #997

- krb5_get_init_creds_opt_set_address_list - ticket #998

- krb5_get_init_creds_opt_set_forwardable  - ticket #999

- krb5_get_init_creds_opt_set_proxiable - ticket #1000

- krb5_get_init_creds_opt_set_out_ccache - ticket #1001

Because each of the new options is now being tracked in a separate ticket, I'm closing this task.

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2010

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.