[Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names
Simo Sorce
simo at redhat.com
Tue Mar 8 16:50:25 UTC 2016
On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote:
> On 03/08/2016 05:00 PM, Simo Sorce wrote:
> > On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote:
> >> On 03/08/2016 04:49 PM, Simo Sorce wrote:
> >>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote:
> >>>> On 12/01/2015 10:08 PM, Simo Sorce wrote:
> >>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote:
> >>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote:
> >>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote:
> >>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote:
> >>>>>>>>> This addresses #3860, giving admins the option to not require preauth
> >>>>>>>>> for Hosts and services.
> >>>>>>>>>
> >>>>>>>>> I did not add this option by default, although it does reduce the load
> >>>>>>>>> on the KDC as well as speed up TGT acquisition for service principal
> >>>>>>>>> accounts that acquire TGTs.
> >>>>>>>>>
> >>>>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED
> >>>>>>>>> error while normal users are).
> >>>>>>>>>
> >>>>>>>>> HTH,
> >>>>>>>>> Simo.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Hi Simo,
> >>>>>>>>
> >>>>>>>> I was not able to apply the patch on current master branch:
> >>>>>>>>
> >>>>>>>> """
> >>>>>>>> git am
> >>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch
> >>>>>>>> -3
> >>>>>>>>
> >>>>>>>> Applying: Allow admins to disable preauth for SPNs.
> >>>>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b
> >>>>>>>> for 'ipalib/plugins/config.py'
> >>>>>>>> fatal: git-write-tree: error building trees
> >>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge.
> >>>>>>>> Cannot fall back to three-way merge.
> >>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs.
> >>>>>>>> """
> >>>>>>>>
> >>>>>>>> It seems that I nedd to apply some of your other patches first (which one?)
> >>>>>>>
> >>>>>>> Sorry did not see this question earlier, it requires 556 and 557, I just
> >>>>>>> bumped that thread.
> >>>>>>>
> >>>>>>> Simo.
> >>>>>>>
> >>>>>> It seems that I need something else, patch 556-2 applies cleanly, but
> >>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master
> >>>>>> and 4-2 branch.
> >>>>>>
> >>>>>
> >>>>> Rebased 556,557 in their thread, and here is the rebase for 558 on top
> >>>>> of them.
> >>>>>
> >>>>> Simo.
> >>>>>
> >>>>
> >>>> ACK. I'm afraid that this patch and 556, 557 will require another round
> >>>> of rebase before pushing, though.
> >>>
> >>> Rebased on top of master (not on 556/557) per Petr's request.
> >>>
> >>> Simo.
> >>>
> >>>
> >>
> >> NACK, if you do API changes please increment API version in VERSION.
> >
> > Why wasn't this a problem in the previous ACK ?
> >
> > Simo.
> >
>
> Probably because I missed it, sorry.
>
Fixed.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-558-4-Allow-admins-to-disable-preauth-for-SPNs.patch
Type: text/x-patch
Size: 7071 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160308/36c26ef5/attachment.bin>
More information about the Freeipa-devel
mailing list