[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Simo Sorce
simo at redhat.com
Mon Dec 5 23:37:53 UTC 2011
On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > Hello all,
> > >
> > > with this set of patches it is possible to allow constrained delegation
> > > of credentials so that a service can impersonate a user when
>
> [..]
>
> > In the third patch in ipadb_get_delegation_acl() you can just fall
> > through to the return.
>
> Removed useless check.
> I also noticed I had added the prototype declaration for the new vtable
> function in the 2nd patch instead of the 3rd where it belongs by
> mistake.
>
> So I fixed that too.
>
> > I think the content of this e-mail should be added as a README to the
> > source tree.
>
> Ok, I dumped and adapted the email content into a README file and added
> it to the third patch.
>
> I also fixed the patch names as per policy.
>
> Simo.
We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
the 'artificial' test done by kvno.
I pushed a patch to handle part of the problem as a new krb5 package in
ipa-devel.
Soon we will have a patch for mod_auth_kerb that handles an issue there.
But we still have an unresolved issue when using the adtrust
functionality and our KDC releases PACs.
The attached patch can be used to deal with that case. As you can see
this is not intended for production, but can be used until we have a
better fix on the KDC side.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ipa-kdb-temporary-workaround-for-s4u2proxy-ops.patch
Type: text/x-patch
Size: 1142 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111205/3b31cd7a/attachment.bin>
More information about the Freeipa-devel
mailing list