[Freeipa-devel] kpasswd and minor fixes
Simo Sorce
ssorce at redhat.com
Thu Aug 9 21:23:10 UTC 2007
OK I have pushed the patches, the code need some working, but I think it
is good enough for a first commit.
comments follows.
On Thu, 2007-08-09 at 17:09 -0400, Rob Crittenden wrote:
> Ok, I got all the patches applied, here is a better review.
>
> ntpd is added to README as a requirement but it isn't added to the
> spec
> file nor do we configure it yet (not required for this patch but a
> necessary TODO)
yeah I placed it in the README exactly to avoid forgetting about it
> The previously mentioned /usr/local/sbin vs /usr/sbin for the
> ipa_kpasswd daemon install.
fixed and pushed with the rest of the code
> What will the blacklist do to NAT'd addresses? What happens to a
> kpasswd
> request when someone from the same IP is also doing a request? What
> does
> the user see, in other words.
They will just see a password change failing.
not sure I have a better alternative, I could probably go down the path
of discovering what krbPrincipal is trying to do a password change and
blacklist only on the IP+krbPrincipal combinartion.
But in any case this is just a stopgap measure to fix a bug in the
clients.
I am trying to make the client use TCP instead, not sure this is
possible without a couple of patches to client tools.
> There are still cases in handle_krb_packets() where errors are passed
> to
> done instead of kpreply, such as KRB5_KPASSWD_AUTHERROR.
Yeah they are catastrofic failures, IE no way to build a reply.
> Should the port be hardcoded in ldap_pwd_change()? I have enough
> hardcoding in the code I've done so this isn't a hard stop :-)
No, we should get it from a DNS query, good catch.
Simo.
More information about the Freeipa-devel
mailing list