On 02/26/2014 02:17 PM, Tomas Babej wrote:


On 02/26/2014 02:16 PM, Tomas Babej wrote:
On 02/26/2014 12:39 PM, Martin Kosek wrote:
On 02/26/2014 09:33 AM, Alexander Bokovoy wrote:
On Wed, 26 Feb 2014, Martin Kosek wrote:
On 02/25/2014 07:59 PM, Simo Sorce wrote:
On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote:
Resending patch 0138 together with another case Simo found out today:
when authdata flag is cleared by admin for the service principal, we'll
get NULL client database entry. In such case we have to bail out.
The patches look correct code-flow-wise to me.

So tentative ack pending testing.

Simo.

Just checking - are we ok performance wise? If we for example add one
additional LDAP search for every Kerberos authentication, it may increase the
load on our LDAP server.
One additional LDAP query per S4U2Proxy ticket issuing. It is not much
and it has to be done because current code does it wrongly for MS-PAC.

It is worth noting that issuing tickets should be relatively rare
operation -- with sessions in IPA server we don't hit HTTP/->ldap/
service ticket granting in S4U2Proxy case more than once.
'ipa trust-add' case is a bit more specific but you rarely establish
trusts every second of the day, aren't you?

For normal operations it wouldn't affect anything beyond statistical
noise level.

If this only hits web management of FreeIPA (i.e. S4U2 proxy scenario) and the
usual SSSD operations, then I have no concerns here.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
After some thorough testing, ACK!

With this patch, not only we solve the referenced IPA ticket, but
adding a trust no longer requires retries in CI (and works on the first
attempt).

And by patch, I mean both 138 and 141, of course.


Pushed to:
master: f7955abdda854e58c60b74039bbd155f2dc66e75
ipa-3-3: c771ba23a88ef6869499f53d172f2282be19dd4d

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to