[Freeipa-devel] [PATCH 1/1] Resolve external members from trusted domain via Global Catalog
Simo Sorce
simo at redhat.com
Tue Oct 30 15:28:23 UTC 2012
On Tue, 2012-10-30 at 06:50 +0200, Alexander Bokovoy wrote:
> I remember in my case that was the issue, i.e. finddc did discover
> proper DC via DNS and returned winda.ad.local but something within
> SASL/krb5 library wanted to see reverse lookup working which was not
> set
> up at the point.
>
I was able to get it to work with this patch on top of yours:
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 2c53faf..c619188 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -257,7 +257,7 @@ class DomainValidator(object):
return clear
def __kinit_as_trusted_account(self, info, password):
- ccache_name = "/var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN"
+ ccache_name = "/var/run/ipa_memcached/krb5cc_TRUSTEDDOMAIN"
principal = '%s$@%s' % (self.flatname, info['dns_domain'].upper())
(stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal],
env={'KRB5CCNAME':ccache_name},
@@ -271,6 +271,7 @@ class DomainValidator(object):
if auth:
(ccache_name, principal) = self.__kinit_as_trusted_account(info, auth)
if ccache_name:
+ conn.set_option(_ldap._ldap.OPT_X_SASL_NOCANON, _ldap.OPT_ON)
cb_info = dict()
# pass empty dict, SASL GSSAPI is able to get all from the ccache
sasl_auth = _ldap.sasl.sasl(cb_info,'GSSAPI')
If you are ok with the changes can you merge it in and send a new
patch ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list