Issue #8405: Don't delegate full TGT in ipa-join - freeipa

freeipa

#8405 Don't delegate full TGT in ipa-join

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by rcritten.

Issue

Prior to the addition of S4U2Proxy IPA used full TGT delegation to handle access control for 389-ds. When this support was added I think in 3.0.0 the TGT delegation was left in for backwards compatibility.

Those days are past and there is no reason to delegate the full TGT any more.

Steps to Reproduce

ipa-client-install --debug -v
find the ipa-join command in the output

Actual behavior

The TGT is delegated. You can tell because the Negotiate is immense.

Expected behavior

Don't set the curl options to enable delegation.

rcritten commented 3 years ago

For reference, here is where the code to explicitly enable it was added in 2.1.0: a1c690c

https://pagure.io/freeipa/issue/1452

rcritten commented 3 years ago

master:

28caa22 Don't delegate the TGT in ipa-join

Metadata Update from @rcritten:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

None

affects_doc

source

None

knownissue

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8405 Don't delegate full TGT in ipa-join Closed: fixed 3 years ago by rcritten. Opened 3 years ago by rcritten.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Metadata

#8405 Don't delegate full TGT in ipa-join

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by rcritten.