[Freeipa-devel] [PATCH] kdb: check for local realm in enterprise principals
Sumit Bose
sbose at redhat.com
Thu Jul 7 11:52:42 UTC 2016
On Thu, Jul 07, 2016 at 01:31:03PM +0200, Petr Vobornik wrote:
> On 07/06/2016 07:01 PM, Sumit Bose wrote:
> > Hi,
> >
> > although enterprise principals for trusted domains now are working as
> > expected they do not work for the local domain:
> >
> > # kinit -E admin at IPA.DEVEL
> > kinit: Client 'admin\@IPA.DEVEL at IPA.DEVEL' not found in Kerberos database while getting initial credentials
> >
> > Attached patch handles this case. It is not that nice because of the
> > duplication of ipadb_fetch_principals() and ipadb_find_principal(). But
> > I think there was a reason I do not remember why we didn't check for
> > enterprise principals before checking the local database. If there is no
> > such reason it might make sense to check for enterprise principals
> > before doing the lookup. Please let me know if I should change the patch
> > accordingly or if the current version is ok,
> >
> > bye,
> > Sumit
> >
>
> Hi Sumit,
>
> thanks for the patch. This patch should have a ticket. It will help
> downstream planning.
sure, I created https://fedorahosted.org/freeipa/ticket/6036. Please
clone it to suitable downstream tickets.
Please note that we didn't released a patch for SSSD to enable enterprise
principals automatically if the IPA server (should) support them because
of this issues. Since 4.4.0 is already released I think we have to wait
on the SSSD side until a new FreeIPA version with a fix is released.
bye,
Sumit
>
> --
> Petr Vobornik
More information about the Freeipa-devel
mailing list