[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA

[Simo Sorce]

On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote:
> On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> > On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> > > Simo Sorce wrote:
> > > > Hello all,
> > > >
> > > > with this set of patches it is possible to allow constrained delegation
> > > > of credentials so that a service can impersonate a user when
> > 
> > [..]
> > 
> > > In the third patch in ipadb_get_delegation_acl() you can just fall 
> > > through to the return.
> > 
> > Removed useless check.
> > I also noticed I had added the prototype declaration for the new vtable
> > function in the 2nd patch instead of the 3rd where it belongs by
> > mistake.
> > 
> > So I fixed that too.
> > 
> > > I think the content of this e-mail should be added as a README to the 
> > > source tree.
> > 
> > Ok, I dumped and adapted the email content into a README file and added
> > it to the third patch.
> > 
> > I also fixed the patch names as per policy.
> > 
> > Simo.
> 
> 
> We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
> the 'artificial' test done by kvno.
> 
> I pushed a patch to handle part of the problem as a new krb5 package in
> ipa-devel.
> 
> Soon we will have a patch for mod_auth_kerb that handles an issue there.
> 
> But we still have an unresolved issue when using the adtrust
> functionality and our KDC releases PACs.
> 
> The attached patch can be used to deal with that case. As you can see
> this is not intended for production, but can be used until we have a
> better fix on the KDC side.
> 
> Simo.

Rebased patch 468 to apply to current master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-468-2-ipa-kdb-Delegation-ACL-schema.patch
Type: text/x-patch
Size: 3271 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111206/209f110c/attachment.bin>