On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
> > This change would have very small impact on your patch set, but would
> > be
> > much clearer for the future consumers of this protocol. Code can be
> > changed; protocols can't.
> Ok this new patchset implements the requested change.
> Initial testing seem to indicate it all works as expected.

0001: Line 555 has very wrong indentation.

Other than that, I have looked over 0001 and 0002 very closely and built
and tested them. Everything works. So conditional (indent fix) ACK on
both of these. I don't see any reason to avoid merging these as soon as
the indent fix is completed. It should substantially reduce your
differential from master.

In the new ASN.1, "Newkeys" has the wrong capitalization. This affects
patches 0003 and 0005.

I think patch 0003 may still have a permissions problem. For instance,
this works for me with no error:

$ ipa user-find --whoami
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1569600000
  GID: 1569600000
  Account disabled: False
  Password: True
  Kerberos keys available: True
Number of entries returned 1

$ ipa-getkeytab -s ipa.example.com -p foo/ipa.example.com -r -k bar
Keytab successfully retrieved and stored in: bar

Is that really correct behavior or did I screw something up? I thought
we had restricted the admin user from reading keys without changing


Freeipa-devel mailing list

Reply via email to