On ti, 13 joulu 2016, Vít Ondruch wrote:
Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
On 12/12/2016 04:53 AM, Vít Ondruch wrote:
So several questions:
1) When I have 2 domains I login to with kerberos, how to really make it
work. I don't want to kswitch all the time. I am using Kerberos to
authenticate my email client, so I want to keep it working all the time.
There are patches still coming that will switch the fedora packaging tools to
use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk (CCed)
was looking into it.
I am probably missing something, but if I am not mistaken, the primary
ticket depends on order of my kinit calls and I am using several apps
which needs kerberos authentication, so I can hardly see how fedora
packaging tools changes can solve the major issue, i.e. if I do kinit
vondr...@fedoraproject.org, this ticket becomes the primary ...
The story is always more complex than it seems.
There is Kerberos protocol. There is also GSSAPI interface that allows
to wrap Kerberos use under a more general security exchange means. While
Kerberos tools can deal with multiple credential caches in the
collection only by addressing the currently selected credentials cache,
GSSAPI-aware applications enjoy ability to chose which credentials cache
from the collection to use based on the realm of the target service.
Koji with a patch to use python-gssapi will have ability to choose the
credentials cache automatically based on the realm of the target
service, regardless of what credentials cache is active right now in the
collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
built with the patch to use python-gssapi.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
