[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA

[Simo Sorce]

On Thu, 2011-12-08 at 16:55 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote:
> >> On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> >>> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> >>>> Simo Sorce wrote:
> >>>>> Hello all,
> >>>>>
> >>>>> with this set of patches it is possible to allow constrained delegation
> >>>>> of credentials so that a service can impersonate a user when
> >>>
> >>> [..]
> >>>
> >>>> In the third patch in ipadb_get_delegation_acl() you can just fall
> >>>> through to the return.
> >>>
> >>> Removed useless check.
> >>> I also noticed I had added the prototype declaration for the new vtable
> >>> function in the 2nd patch instead of the 3rd where it belongs by
> >>> mistake.
> >>>
> >>> So I fixed that too.
> >>>
> >>>> I think the content of this e-mail should be added as a README to the
> >>>> source tree.
> >>>
> >>> Ok, I dumped and adapted the email content into a README file and added
> >>> it to the third patch.
> >>>
> >>> I also fixed the patch names as per policy.
> >>>
> >>> Simo.
> >>
> >>
> >> We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
> >> the 'artificial' test done by kvno.
> >>
> >> I pushed a patch to handle part of the problem as a new krb5 package in
> >> ipa-devel.
> >>
> >> Soon we will have a patch for mod_auth_kerb that handles an issue there.
> >>
> >> But we still have an unresolved issue when using the adtrust
> >> functionality and our KDC releases PACs.
> >>
> >> The attached patch can be used to deal with that case. As you can see
> >> this is not intended for production, but can be used until we have a
> >> better fix on the KDC side.
> >>
> >> Simo.
> >
> > Rebased patch 468 to apply to current master.
> >
> > Simo.
> >
> 
> ACK x3

Pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York