Dmitri Pal wrote:
> Ok I buy this.
> Just have questions below...
> Simo Sorce wrote:
>> Ok now on a more serious note ...
>> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote:
>>> Why we can't call kinit (or equivalent) on their behalf as soon as we
>>> migrated them right away ourselves and then redirect then to the right
>>> place - self service page?
>> We could call kinit and store the credentials in the server cache for
>> the time the user is connected like we do with forwarded credentials,
>> but we want to go toward S4U to avoid forwarding TGTs in the first
> So if we have the user TGT on server haw we can use it to improve user
>>> Why make them fail?
>>> I assume that things like cfengine or puppet can be used to already
>>> precofigure browsers to know about IPA.
>> In general the browser configuration is kept in the user home directory,
>> and is not something puppet or cfengine should touch (they may have no
>> access to the user home directory until the user is logged in anyway).
> We already have the RFE to make FF to be able to configure kerberos more
> We can add specifics to it and make this configuration be stored outside
> of the user home directory
> so that it can be centrally configured.
> May be we should add it to the bug.
> But back to the point of user.
> What is that the browser carries that allows it to access the pages?
> Is it a cookie of some kind that is created as a result of the
> authentication using ticket or what?
> Can we create such cookie on behalf of the user.
> I understand that it will solve the problem of only this session and if
> user closes browser
> he will have to do kinit so may be it is not worth it.
> I guess asking user to log out and log in will only work if the system
> is configured to use same IPA with kerberos via SSSD or directly.
> Is this something that can be checked?
> If the user's machine is not configured for kerberos with the same
> domain asking user to log off and log on will not help.
I guess if we put the message into an attribute somewhere in the
cn=config and pull it from DS instead of making it a part of the page itself
we would give the admin choice what to tell user to do in this case.
"Kinit" or "logoff/login" or "check this ... if you are then ...
otherwise ..." this together with migration instructions would help a lot.
Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list