freeipa

Clone
Source Code
GIT

d7f91dc oddjob: avoid chown keytab to sssd if sssd user does not exist

1 file Authored by abbra 8 years ago, Committed by tbabej 8 years ago,
raw patch tree parent
1 file changed. 7 lines added. 2 lines removed.
install/oddjob/com.redhat.idm.trust-fetch-domains
file modified
+7 -2 
    oddjob: avoid chown keytab to sssd if sssd user does not exist
    
    If sssd user does not exist, it means SSSD does not run as sssd user.
    
    Currently SSSD has too tight check for keytab permissions and ownership.
    It assumes the keytab has to be owned by the same user it runs under
    and has to have 0600 permissions. ipa-getkeytab creates the file with
    right permissions and 'root:root' ownership.
    
    Jakub Hrozek promised to enhance SSSD keytab permissions check so that
    both sssd:sssd and root:root ownership is possible and then when SSSD
    switches to 'sssd' user, the former becomes the default. Since right now
    SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
    user in Fedora 22 / RHEL 7 environments, we can use its presence as a
    version trigger.
    
    https://fedorahosted.org/freeipa/ticket/5136
    
    Reviewed-By: Tomas Babej <tbabej@redhat.com>
file modified
+7 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.