freeipa

Clone
Source Code
GIT

079bbaa Fix ticket checks when using either s4u2proxy or a delegated krbtgt

1 file Authored by simo 12 years ago, Committed by rcritten 12 years ago,
raw patch tree parent
1 file changed. 2 lines added. 2 lines removed.
ipalib/krb_utils.py
file modified
+2 -2 
    Fix ticket checks when using either s4u2proxy or a delegated krbtgt
    
    When using s4u2proxy the only ticket we can access via direct krb5 calls is
    the HTTP/ ticket which was saved in the ccache as evidence ticket.
    This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.
    
    This works by chance, we shouldn't use calls to get_credentials just to
    verify ticket expiration dates, but I realize this is a limitation of the
    current krbV bindings and we have no other way around at the moment.
    
    Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
    us. In that case the ccache will contain only a krbtgt, so as a fallback
    we check that.
    
    Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
    trying to check the ldap/ ticket will fail because we do not have it yet
    on the first authentication before a session is estalished, and doing it
    later is not useful.
    
    When we have a krbtgt we could go and grap a ldap/ ticket directy, but
    again that makes little sense. In general all tickets will have the same
    expiration date (which deopends on the original krbtgt) so checking one
    is sufficient.
    
    Fixes: http://fedorahosted.org/freeipa/ticket/2472
file modified
+2 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.