Ok I buy this. Just have questions below... Simo Sorce wrote: > Ok now on a more serious note ... > > On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote: > >> Why we can't call kinit (or equivalent) on their behalf as soon as we >> migrated them right away ourselves and then redirect then to the right >> place - self service page? >> > > We could call kinit and store the credentials in the server cache for > the time the user is connected like we do with forwarded credentials, > but we want to go toward S4U to avoid forwarding TGTs in the first > place. > So if we have the user TGT on server haw we can use it to improve user experience?
> >> Why make them fail? >> I assume that things like cfengine or puppet can be used to already >> precofigure browsers to know about IPA. >> > > In general the browser configuration is kept in the user home directory, > and is not something puppet or cfengine should touch (they may have no > access to the user home directory until the user is logged in anyway). > > We already have the RFE to make FF to be able to configure kerberos more friendly. We can add specifics to it and make this configuration be stored outside of the user home directory so that it can be centrally configured. https://bugzilla.redhat.com/show_bug.cgi?id=526824 Upsteam https://bugzilla.mozilla.org/show_bug.cgi?id=520668 May be we should add it to the bug. But back to the point of user. What is that the browser carries that allows it to access the pages? Is it a cookie of some kind that is created as a result of the authentication using ticket or what? Can we create such cookie on behalf of the user. I understand that it will solve the problem of only this session and if user closes browser he will have to do kinit so may be it is not worth it. I guess asking user to log out and log in will only work if the system is configured to use same IPA with kerberos via SSSD or directly. Is this something that can be checked? If the user's machine is not configured for kerberos with the same domain asking user to log off and log on will not help. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
