[Freeipa-devel] [DESIGN] Kerberos principal alias handling

Martin Babinsky mbabinsk at redhat.com
Fri May 6 13:18:06 UTC 2016 

On 05/06/2016 02:57 PM, Martin Kosek wrote:
> On 04/18/2016 10:31 AM, Martin Kosek wrote:
>> On 04/08/2016 05:10 PM, Martin Babinsky wrote:
>>> Hi list,
>>>
>>> I have put together a draft [1] outlining the effort to reimplement the
>>> handling of Kerberos principals in both backend and frontend layers of FreeIPA
>>> so that we may have multiple aliases per user, host or service and thus
>>> implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
>>> https://fedorahosted.org/freeipa/ticket/5413 .
>>>
>>> Since much of the plumbing was already implemented,[2] the document mainly
>>> describes what the patches do. Some parts required by other use cases may be
>>> missing so please point these out.
>>>
>>> I would also be happy if you could correct all factual inacurracies, I did
>>> research on this issue a long time ago and my knowledge turned a bit rusty.
>>>
>>> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
>>> [2] https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html
>>
>> Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
>> see that you are using the Kerberos attributes in the raw name
>> ("--krbprincipalname"). This is not consistent with the CLI form when they are
>> used in other commands:
>>
>> ...
>>         Str('krbprincipalname?', validate_principal,
>>             cli_name='principal',
>>             label=_('Kerberos principal'),
>>             default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
>>             autofill=True,
>>             flags=['no_update'],
>>             normalizer=lambda value: normalize_principal(value),
>>         ),
>>         DateTime('krbprincipalexpiration?',
>>             cli_name='principal_expiration',
>>             label=_('Kerberos principal expiration'),
>>         ),
>> ...
>>
>> IMO, it should be rather "--principal" and "--principal-alias".
>>
>> Martin
>>
>
> Bump.
>

I have fixed the CLI API a while ago so it should now be more conformant 
with the rest of the framework. I just forgot to notify the list about 
the change.

Other parts of the design were also revised but we are not there yet 
since we have to investigate a discrepancy in handling of kinit using 
alias without canonicalization between AD and MIT Kerberos.

We have discussed this with Simo (cc'ed) who promised to ask MIT guys 
about this. We should restart the discussion about the design.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list