On 02/26/2014 12:39 PM, Martin Kosek wrote:
> On 02/26/2014 09:33 AM, Alexander Bokovoy wrote:
>> On Wed, 26 Feb 2014, Martin Kosek wrote:
>>> On 02/25/2014 07:59 PM, Simo Sorce wrote:
>>>> On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote:
>>>>> Resending patch 0138 together with another case Simo found out today:
>>>>> when authdata flag is cleared by admin for the service principal, we'll
>>>>> get NULL client database entry. In such case we have to bail out.
>>>> The patches look correct code-flow-wise to me.
>>>> So tentative ack pending testing.
>>>> Simo.
>>> Just checking - are we ok performance wise? If we for example add one
>>> additional LDAP search for every Kerberos authentication, it may increase 
>>> the
>>> load on our LDAP server.
>> One additional LDAP query per S4U2Proxy ticket issuing. It is not much
>> and it has to be done because current code does it wrongly for MS-PAC.
>> It is worth noting that issuing tickets should be relatively rare
>> operation -- with sessions in IPA server we don't hit HTTP/->ldap/
>> service ticket granting in S4U2Proxy case more than once.
>> 'ipa trust-add' case is a bit more specific but you rarely establish
>> trusts every second of the day, aren't you?
>> For normal operations it wouldn't affect anything beyond statistical
>> noise level.
> If this only hits web management of FreeIPA (i.e. S4U2 proxy scenario) and the
> usual SSSD operations, then I have no concerns here.
> Martin
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

After some thorough testing, ACK!

With this patch, not only we solve the referenced IPA ticket, but
adding a trust no longer requires retries in CI (and works on the first

Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

Freeipa-devel mailing list

Reply via email to