Ok I buy this.
Just have questions below...

Simo Sorce wrote:
> Ok now on a more serious note ...
> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>> Why we can't call kinit (or equivalent) on their behalf as soon as we
>> migrated them right away ourselves and then redirect then to the right
>> place - self service page?
> We could call kinit and store the credentials in the server cache for
> the time the user is connected like we do with forwarded credentials,
> but we want to go toward S4U to avoid forwarding TGTs in the first
> place.
So if we have the user TGT on server haw we can use it to improve user

>> Why make them fail? 
>> I assume that things like cfengine or puppet can be used to already
>> precofigure browsers to know about IPA.
> In general the browser configuration is kept in the user home directory,
> and is not something puppet or cfengine should touch (they may have no
> access to the user home directory until the user is logged in anyway).
We already have the RFE to make FF to be able to configure kerberos more
We can add specifics to it and make this configuration be stored outside
of the user home directory
so that it can be centrally configured.


May be we should add it to the bug.

But back to the point of user.
What is that the browser carries that allows it to access the pages?
Is it a cookie of some kind that is created as a result of the
authentication using ticket or what?
Can we create such cookie on behalf of the user.
I understand that it will solve the problem of only this session and if
user closes browser
he will have to do kinit so may be it is not worth it.

I guess asking user to log out and log in will only work if the system
is configured to use same IPA with kerberos via SSSD or directly.
Is this something that can be checked?
If the user's machine is not configured for kerberos with the same
domain asking user to log off and log on will not help.

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to