On 7.7.2016 13:52, Sumit Bose wrote:
> On Thu, Jul 07, 2016 at 01:31:03PM +0200, Petr Vobornik wrote:
>> On 07/06/2016 07:01 PM, Sumit Bose wrote:
>>> Hi,
>>> although enterprise principals for trusted domains now are working as
>>> expected they do not work for the local domain:
>>>     # kinit -E admin@IPA.DEVEL
>>>     kinit: Client 'admin\@IPA.DEVEL@IPA.DEVEL' not found in Kerberos 
>>> database while getting initial credentials
>>> Attached patch handles this case. It is not that nice because of the
>>> duplication of ipadb_fetch_principals() and ipadb_find_principal(). But
>>> I think there was a reason I do not remember why we didn't check for
>>> enterprise principals before checking the local database. If there is no
>>> such reason it might make sense to check for enterprise principals
>>> before doing the lookup. Please let me know if I should change the patch
>>> accordingly or if the current version is ok,

I can't see the reason why we should not allow enterprise principals ...

Personally I like rule of thumb 'design is not documented -> change it as you
see fit & document it this time'.

Petr^2 Spacek

>>> bye,
>>> Sumit
>> Hi Sumit,
>> thanks for the patch. This patch should have a ticket. It will help
>> downstream planning.
> sure, I created https://fedorahosted.org/freeipa/ticket/6036. Please
> clone it to suitable downstream tickets.
> Please note that we didn't released a patch for SSSD to enable enterprise
> principals automatically if the IPA server (should) support them because
> of this issues. Since 4.4.0 is already released I think we have to wait
> on the SSSD side until a new FreeIPA version with a fix is released.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to