[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-devel
Subject: Re: [SSSD] Design discussion - Changes required to support one-way trusts
From: Jakub Hrozek <jhrozek () redhat ! com>
Date: 2015-04-28 10:54:31
Message-ID: 20150428105431.GB31408 () hendrix ! arn ! redhat ! com
[Download RAW message or body]
On Tue, Apr 28, 2015 at 01:34:56PM +0300, Alexander Bokovoy wrote:
> On Tue, 28 Apr 2015, Jakub Hrozek wrote:
> >On Mon, Apr 27, 2015 at 10:32:03AM +0200, Jakub Hrozek wrote:
> >>Sure, I will add a more explicit note once we agree what the mechanism
> >>would be.
> >
> >I modified the design page to agree with this discussion:
> > https://fedorahosted.org/sssd/wiki/DesignDocs/OneWayTrusts?action=diff&version=10&old_version=9
> >
> >The changes include:
> > - noted that we fetch all enctypes from IPA and that IPA is
> > responsible for filtering/requesting the right keytabs
> > - note we would prune and fetch the keytabs on restart. If we see
> > during development that this is taking too much time, we can back
> > off.
> > - there is a note that inbound trusts are ignored
> > - there is a note why we're calling ipa-getkeytab explicitly and why
> > we might consider moving to calling the extop ourselves in the
> > future
> > - keytab comparison is spelled out more explicitly (keys are
> > compared) and there is an explicit note that krb5 calls don't
> > hurt because the keytab is owned by the sssd user already.
> >
> >I'll file the per-task tickets now.
> ACK. Do you need FreeIPA tickets too? Just file them as well.
OK, I filed these SSSD tickets:
https://fedorahosted.org/sssd/ticket/2636
https://fedorahosted.org/sssd/ticket/2637
https://fedorahosted.org/sssd/ticket/2638
https://fedorahosted.org/sssd/ticket/2639
And two IPA tickets:
https://fedorahosted.org/freeipa/ticket/5004
https://fedorahosted.org/freeipa/ticket/5005
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic