[Freeipa-devel] [PATCH] 468 don't run through pre-bind code on enrollment
Rob Crittenden
rcritten at redhat.com
Mon Jun 14 15:42:00 UTC 2010
Simo Sorce wrote:
> On Fri, 11 Jun 2010 16:16:32 -0400
> Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Don't try to convert a host's password into a keytab.
>>
>> The migration plugin uses a pre-op function to automatically create
>> kerberos credentials when binding using a password.
>>
>> The problem is that we do a simple bind when doing password-base host
>> enrollment. This was causing krbPasswordExpiration to be set which
>> isn't what we want for hosts. They really shouldn't go through this
>> code at all.
>
> I'd like to NACK and ask to check for the ipaHost objectClass instead
> of strncmp()aring the principal with "host/"
>
> Simo.
>
Updated patch attached. I took the opportunity to fix another instance
of comparing to host/ in the principal name as well.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-468-2-enroll.patch
Type: application/mbox
Size: 3366 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20100614/818a0add/attachment.mbox>
More information about the Freeipa-devel
mailing list