Dmitri Pal wrote: > Ok I buy this. > Just have questions below... > > Simo Sorce wrote: > >> Ok now on a more serious note ... >> >> On Fri, 2009-10-30 at 14:28 -0400, Dmitri Pal wrote: >> >> >>> Why we can't call kinit (or equivalent) on their behalf as soon as we >>> migrated them right away ourselves and then redirect then to the right >>> place - self service page? >>> >>> >> We could call kinit and store the credentials in the server cache for >> the time the user is connected like we do with forwarded credentials, >> but we want to go toward S4U to avoid forwarding TGTs in the first >> place. >> >> > So if we have the user TGT on server haw we can use it to improve user > experience? > > > >> >> >>> Why make them fail? >>> I assume that things like cfengine or puppet can be used to already >>> precofigure browsers to know about IPA. >>> >>> >> In general the browser configuration is kept in the user home directory, >> and is not something puppet or cfengine should touch (they may have no >> access to the user home directory until the user is logged in anyway). >> >> >> > We already have the RFE to make FF to be able to configure kerberos more > friendly. > We can add specifics to it and make this configuration be stored outside > of the user home directory > so that it can be centrally configured. > https://bugzilla.redhat.com/show_bug.cgi?id=526824 > > Upsteam > https://bugzilla.mozilla.org/show_bug.cgi?id=520668 > > May be we should add it to the bug. > > But back to the point of user. > What is that the browser carries that allows it to access the pages? > Is it a cookie of some kind that is created as a result of the > authentication using ticket or what? > Can we create such cookie on behalf of the user. > I understand that it will solve the problem of only this session and if > user closes browser > he will have to do kinit so may be it is not worth it. > > I guess asking user to log out and log in will only work if the system > is configured to use same IPA with kerberos via SSSD or directly. > Is this something that can be checked? > If the user's machine is not configured for kerberos with the same > domain asking user to log off and log on will not help. > > I guess if we put the message into an attribute somewhere in the cn=config and pull it from DS instead of making it a part of the page itself we would give the admin choice what to tell user to do in this case. "Kinit" or "logoff/login" or "check this ... if you are then ... otherwise ..." this together with migration instructions would help a lot.
-- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel