Some services may not want a PAC and so we should not go through the burden of filtering/transforming/signing a PAC if none is desired.
We should ad an option attached to service principals that tells whether we want to attach a PAC and what kind of PAC is preferred (MA-PAC, UNIX-PAC, ...).
This option should be a multi-valued option, where absence means using a default (to be set somewhere in cn=etc). It is multivalued as some services may even wnat multiple types (cifs/ when is a samba handled service may want a MS-PAC while sssd will still want to snatch the UNIX-PAC out of it on preference.
It may be also possible we want to mark some as critical and drop non critical ones if the PAC is too big.
We do not have support for anything but MS-PAC yet, but the architecture would be future proof. I am opening a separate ticket for adding support to select the PAD/UNIX-PAC later. Meanwhile we should implement this feature as described but offer only MS-PAC or NO PAC as options.
Can you expand on what you're looking for here? What is this option going to be added to, the service entry itself? How will this affect upgrades? Will we need/want to add some default value?
Replying to [comment:5 rcritten]:
Can you expand on what you're looking for here?
A global option and a per principal option.
What is this option going to be added to, the service entry itself?
Yes in most cases this is what will happen, we may want to use groups with CoS though if it is not too difficult, as I expect people may want to control this in groups. That said it would also be fine with me if it were just per machine and we provide a CLI tool to apply it to all machines of a group, it means it wouldn't be dynamic, but that is not a big issue IMO.
How will this affect upgrades?
It shouldn't, a missing option should imply the default behaviour which should in turn be backwards compatible missing any global option.
Will we need/want to add some default value?
Yes, a global one.
We currently don't have service groups.
But if I'm reading this right, you'd be ok using hostgroups and just apply the type to all services of all hosts within a group?
master: fb817d3
Reopening the ticket.
ipakrbauthzdata is currently being filled by default for all new services. As discussed with simo and rcritten, this is an intended behavior. ipakrbauthzdata in services should only serve as an override to value configured in IPA config (config-mod), i.e. we should not fill it automatically for new services to allow seamless expansions of supported PAC types.
ipakrbauthzdata
config-mod
attachment freeipa-mkosek-320-only-use-service-pac-type-as-an-override.patch
Patch freeipa-mkosek-320-only-use-service-pac-type-as-an-override.patch sent for review
master: 43f4ca7[[BR]] ipa-3-0: 807ccf1
Metadata Update from @simo: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.0 RC2
Login to comment on this ticket.