[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Rob Crittenden
rcritten at redhat.com
Thu Dec 8 21:55:18 UTC 2011
Simo Sorce wrote:
> On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote:
>> On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
>>> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> Hello all,
>>>>>
>>>>> with this set of patches it is possible to allow constrained delegation
>>>>> of credentials so that a service can impersonate a user when
>>>
>>> [..]
>>>
>>>> In the third patch in ipadb_get_delegation_acl() you can just fall
>>>> through to the return.
>>>
>>> Removed useless check.
>>> I also noticed I had added the prototype declaration for the new vtable
>>> function in the 2nd patch instead of the 3rd where it belongs by
>>> mistake.
>>>
>>> So I fixed that too.
>>>
>>>> I think the content of this e-mail should be added as a README to the
>>>> source tree.
>>>
>>> Ok, I dumped and adapted the email content into a README file and added
>>> it to the third patch.
>>>
>>> I also fixed the patch names as per policy.
>>>
>>> Simo.
>>
>>
>> We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
>> the 'artificial' test done by kvno.
>>
>> I pushed a patch to handle part of the problem as a new krb5 package in
>> ipa-devel.
>>
>> Soon we will have a patch for mod_auth_kerb that handles an issue there.
>>
>> But we still have an unresolved issue when using the adtrust
>> functionality and our KDC releases PACs.
>>
>> The attached patch can be used to deal with that case. As you can see
>> this is not intended for production, but can be used until we have a
>> better fix on the KDC side.
>>
>> Simo.
>
> Rebased patch 468 to apply to current master.
>
> Simo.
>
ACK x3
More information about the Freeipa-devel
mailing list