On Mon, 13 Oct 2014 14:15:10 +0200 Sumit Bose <sb...@redhat.com> wrote:
> What about using a new authorization data type for the key. Then only > the KDCs on the IPA servers need access to the key. The authorization > data can be added to the service ticket of the host the user logs > into. Since SSSD does ticket validation by default this service > ticket would be available for password based logins as well. The KDC has no way to know what is the host the user is logging on, so it would end up sending this data to any host the user logs into (think SSH). Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
