On Fri, May 27, 2016 at 11:24:24AM +0300, Alexander Bokovoy wrote:
> On Fri, 27 May 2016, Sumit Bose wrote:
> > On Fri, May 27, 2016 at 09:57:37AM +0200, Lenka Doudova wrote:
> > > Hi all,
> > > 
> > > 
> > > here [1] is a draft of test plan for V4 RFE Support of UPN for trusted
> > > domains.
> > > 
> > > Please review this and let me know if there's something missing or wrong.
> > 
> > Hi Lenka,
> > 
> > thank you for the test plan.
> > 
> > About the TBD, Alexander and I agreed to store the alternative domain
> > suffixes read from AD in a new attribute in the LDAP object of the
> > forest root of the trusted domain.
> > 
> > About the kinit tests. Please note that it is expected that the -E
> > option of kinit must be used when alternative suffixes are used.
> > 
> > I'm not sure if SSSD tests are in the scope here as well. If they are I
> > would suggest to add authentication tests with SSSD where e.g. the name
> > with an alternative domain suffix is used as login name. This in general
> > already works with SSSD but is disabled by default for IPA because of
> > the missing server-side support so far. Since SSSD must be able to work
> > with old and new IPA server https://fedorahosted.org/sssd/ticket/3018
> > was created so that SSSD can detect at runtime if the server supports
> > this or not.
> Right, I think we should make sure SSSD is tested against IPA UPN
> support because otherwise we might get regressions.

Hi Lenka,

I would like to ask you to add test where 'kinit -E' is used with an IPA
user as well to avoid regression, because currently 'kinit -E
ipauser@IPA.DOMAIN' does not work. 

Please note that the full principal must be used with kinit in this case
because when just using

    kinit -E ipauser

kinit is smart enough to see that it makes no sense to add the
default_realm twice and internally just does 'kinit ipauser@IPA.DOMAIN'.

If you think this test is better suited in a different test plan please
let me know, then I'll ask there.


> -- 
> / Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to