Age | Commit message (Collapse) | Author | Files | Lines |
|
https://fedorahosted.org/sssd/ticket/1303
Domain start up was taking too long when there are many principals
in a kerberos keytab. We were looking up in the keytab two times.
The first time we try to select a proper principal and remember it.
The second call happens almost right after the first one and
it is just a check if the principal exists in the keytab, without
any output information other than success/failure. It is
probably a left over from https://fedorahosted.org/sssd/ticket/781.
This patch removes the second call.
|
|
Coverity #12781
|
|
* This broke corner cases when used with
default_tkt_types = des-cbc-crc
and DES enabled on an AD domain.
* This is fixed in kerberos instead, in a more correct way
and in a way which we cannot replicate.
|
|
We can't support the DIR cache features in systems with kerberos
libraries older than 1.10. Make sure we don't build it on those
systems.
|
|
https://fedorahosted.org/sssd/ticket/974
|
|
Kerberos credential caches can be specified by TYPE:RESIDUAL. This patch
adds a couple of utilities to support parsing if ccache locations,
checking types etc.
|
|
https://fedorahosted.org/sssd/ticket/1330
|
|
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
|
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
There were many places where we were printing (null) to the logs
because a NULL keytab name tells libkrb5 to use its configured
default instead of a particular path. This patch should clean up
all uses of this to print "default" in the logs.
https://fedorahosted.org/sssd/ticket/1288
|
|
https://fedorahosted.org/sssd/ticket/1269
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/857
|
|
https://fedorahosted.org/sssd/ticket/858
|
|
|
|
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
|
|
The function now supports finding principal in keytab not only based on
realm, but based on both realm and primary/instance parts. The function
also supports * wildcard at the beginning or at the end of primary
principal part. The function for finding principal has been moved to
util/sss_krb5.c, so it can be used in other parts of the code.
|
|
https://fedorahosted.org/sssd/ticket/711
|
|
|
|
|
|
|
|
In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.
Fixes: #556
|
|
Also update BUILD.txt
|