Learn more about these different git repos.
Other Git URLs
The Kerberos library providers a number of functions to set different options. SSSD should add new Kerberos provider options that allow setting these options where it makes sense. This ticket tracks task to investigate these options.
This is the full list of krb5_get_init_creds_opt_set_* functions in krb5 1.9.1:
krb5_get_init_creds_opt_set_*
krb5_get_init_creds_opt_set_address_list krb5_get_init_creds_opt_set_anonymous krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list krb5_get_init_creds_opt_set_expire_callback krb5_get_init_creds_opt_set_fast_ccache krb5_get_init_creds_opt_set_fast_ccache_name krb5_get_init_creds_opt_set_fast_flags krb5_get_init_creds_opt_set_forwardable krb5_get_init_creds_opt_set_out_ccache krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list krb5_get_init_creds_opt_set_proxiable krb5_get_init_creds_opt_set_renew_life krb5_get_init_creds_opt_set_salt krb5_get_init_creds_opt_set_tkt_life
I will create individual tickets for new options that SSSD should get.
krb5_get_init_creds_opt_set_canonicalize is already being tracked in ticket #957.
krb5_get_init_creds_opt_set_canonicalize
We are already using the following options: - krb5_get_init_creds_opt_set_renew_life - krb5_get_init_creds_opt_set_fast_ccache_name - krb5_get_init_creds_opt_set_fast_flags - krb5_get_init_creds_opt_set_expire_callback - krb5_get_init_creds_opt_set_tkt_life
krb5_get_init_creds_opt_set_renew_life
krb5_get_init_creds_opt_set_fast_ccache_name
krb5_get_init_creds_opt_set_fast_flags
krb5_get_init_creds_opt_set_expire_callback
krb5_get_init_creds_opt_set_tkt_life
I don't think it makes sense to implement the following options in SSSD: - krb5_get_init_creds_opt_set_change_password_prompt - handled by SSSD itself - krb5_get_init_creds_opt_set_out_ccache - functionality provided by krb5_ccachedir and krb5_ccname_template options - krb5_get_init_creds_opt_set_etype_list - this seems like something that should be set globally in /etc/krb5.conf - krb5_get_init_creds_opt_set_preauth_list - this seems like something that should be set globally in /etc/krb5.conf - krb5_get_init_creds_opt_set_salt - currently seems not to be used anywhere in krb5 1.9. Moreover this seems like something that should be set globally in /etc/krb5.conf - krb5_get_init_creds_opt_set_fast_ccache - this seems to be used in kpasswd code only in 1.9.
krb5_get_init_creds_opt_set_change_password_prompt
krb5_get_init_creds_opt_set_out_ccache
krb5_get_init_creds_opt_set_etype_list
krb5_get_init_creds_opt_set_preauth_list
krb5_get_init_creds_opt_set_salt
krb5_get_init_creds_opt_set_fast_ccache
So far it seems we might want to add these options: - krb5_get_init_creds_opt_set_address_list - krb5_get_init_creds_opt_set_anonymous - krb5_get_init_creds_opt_set_forwardable - krb5_get_init_creds_opt_set_proxiable - krb5_get_init_creds_opt_set_pa
krb5_get_init_creds_opt_set_address_list
krb5_get_init_creds_opt_set_anonymous
krb5_get_init_creds_opt_set_forwardable
krb5_get_init_creds_opt_set_proxiable
krb5_get_init_creds_opt_set_pa
Fields changed
type: defect => task
Nalin, does the above seem sane to you? Did I miss anything SSSD might benefit from (or vice versa)?
cc: => nalin
owner: somebody => jhrozek status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.7.0
Nalin provided his valuable feedback via email.
He advised on skipping the krb5_get_init_creds_opt_set_anonymous option as we probably won't be requesting it.
The krb5_get_init_creds_opt_set_pa would be required when we support PKINIT as the location of the client's PKI credentials is specified that way.
That means we should add the following options: - krb5_get_init_creds_opt_set_preauth_list - ticket #997
- krb5_get_init_creds_opt_set_address_list - ticket #998 - krb5_get_init_creds_opt_set_forwardable - ticket #999 - krb5_get_init_creds_opt_set_proxiable - ticket #1000 - krb5_get_init_creds_opt_set_out_ccache - ticket #1001
Because each of the new options is now being tracked in a separate ticket, I'm closing this task.
resolution: => fixed status: assigned => closed
rhbz: => 0
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.7.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2010
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.