[Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names
Martin Babinsky
mbabinsk at redhat.com
Fri Jul 1 09:07:01 UTC 2016
On 07/01/2016 10:38 AM, Petr Vobornik wrote:
> On 03/08/2016 06:02 PM, Martin Babinsky wrote:
>> On 03/08/2016 05:50 PM, Simo Sorce wrote:
>>> On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote:
>>>> On 03/08/2016 05:00 PM, Simo Sorce wrote:
>>>>> On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote:
>>>>>> On 03/08/2016 04:49 PM, Simo Sorce wrote:
>>>>>>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote:
>>>>>>>> On 12/01/2015 10:08 PM, Simo Sorce wrote:
>>>>>>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote:
>>>>>>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote:
>>>>>>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote:
>>>>>>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote:
>>>>>>>>>>>>> This addresses #3860, giving admins the option to not
>>>>>>>>>>>>> require preauth
>>>>>>>>>>>>> for Hosts and services.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I did not add this option by default, although it does
>>>>>>>>>>>>> reduce the load
>>>>>>>>>>>>> on the KDC as well as speed up TGT acquisition for service
>>>>>>>>>>>>> principal
>>>>>>>>>>>>> accounts that acquire TGTs.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tested and working as expected (SPNs are not returned
>>>>>>>>>>>>> PREAUTH_NEEDED
>>>>>>>>>>>>> error while normal users are).
>>>>>>>>>>>>>
>>>>>>>>>>>>> HTH,
>>>>>>>>>>>>> Simo.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Hi Simo,
>>>>>>>>>>>>
>>>>>>>>>>>> I was not able to apply the patch on current master branch:
>>>>>>>>>>>>
>>>>>>>>>>>> """
>>>>>>>>>>>> git am
>>>>>>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch
>>>>>>>>>>>>
>>>>>>>>>>>> -3
>>>>>>>>>>>>
>>>>>>>>>>>> Applying: Allow admins to disable preauth for SPNs.
>>>>>>>>>>>> error: invalid object 100644
>>>>>>>>>>>> a6b4d4349a9ac6de453d9ad3c679ec32add4e43b
>>>>>>>>>>>> for 'ipalib/plugins/config.py'
>>>>>>>>>>>> fatal: git-write-tree: error building trees
>>>>>>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge.
>>>>>>>>>>>> Cannot fall back to three-way merge.
>>>>>>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs.
>>>>>>>>>>>> """
>>>>>>>>>>>>
>>>>>>>>>>>> It seems that I nedd to apply some of your other patches
>>>>>>>>>>>> first (which one?)
>>>>>>>>>>>
>>>>>>>>>>> Sorry did not see this question earlier, it requires 556 and
>>>>>>>>>>> 557, I just
>>>>>>>>>>> bumped that thread.
>>>>>>>>>>>
>>>>>>>>>>> Simo.
>>>>>>>>>>>
>>>>>>>>>> It seems that I need something else, patch 556-2 applies
>>>>>>>>>> cleanly, but
>>>>>>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on
>>>>>>>>>> both master
>>>>>>>>>> and 4-2 branch.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Rebased 556,557 in their thread, and here is the rebase for 558
>>>>>>>>> on top
>>>>>>>>> of them.
>>>>>>>>>
>>>>>>>>> Simo.
>>>>>>>>>
>>>>>>>>
>>>>>>>> ACK. I'm afraid that this patch and 556, 557 will require another
>>>>>>>> round
>>>>>>>> of rebase before pushing, though.
>>>>>>>
>>>>>>> Rebased on top of master (not on 556/557) per Petr's request.
>>>>>>>
>>>>>>> Simo.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> NACK, if you do API changes please increment API version in VERSION.
>>>>>
>>>>> Why wasn't this a problem in the previous ACK ?
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> Probably because I missed it, sorry.
>>>>
>>>
>>> Fixed.
>>>
>>> Simo.
>>>
>>
>> Thanks, ACK.
>>
>
> was this pushed?
>
Yes I see 3e45c9be0aefb03751665a951f426ac59c50a551 in master.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list