[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Simo Sorce
simo at redhat.com
Tue Dec 6 13:54:28 UTC 2011
On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote:
> On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> > On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> > > Simo Sorce wrote:
> > > > Hello all,
> > > >
> > > > with this set of patches it is possible to allow constrained delegation
> > > > of credentials so that a service can impersonate a user when
> >
> > [..]
> >
> > > In the third patch in ipadb_get_delegation_acl() you can just fall
> > > through to the return.
> >
> > Removed useless check.
> > I also noticed I had added the prototype declaration for the new vtable
> > function in the 2nd patch instead of the 3rd where it belongs by
> > mistake.
> >
> > So I fixed that too.
> >
> > > I think the content of this e-mail should be added as a README to the
> > > source tree.
> >
> > Ok, I dumped and adapted the email content into a README file and added
> > it to the third patch.
> >
> > I also fixed the patch names as per policy.
> >
> > Simo.
>
>
> We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
> the 'artificial' test done by kvno.
>
> I pushed a patch to handle part of the problem as a new krb5 package in
> ipa-devel.
>
> Soon we will have a patch for mod_auth_kerb that handles an issue there.
>
> But we still have an unresolved issue when using the adtrust
> functionality and our KDC releases PACs.
>
> The attached patch can be used to deal with that case. As you can see
> this is not intended for production, but can be used until we have a
> better fix on the KDC side.
>
> Simo.
Rebased patch 468 to apply to current master.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-468-2-ipa-kdb-Delegation-ACL-schema.patch
Type: text/x-patch
Size: 3271 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111206/209f110c/attachment.bin>
More information about the Freeipa-devel
mailing list