-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/12/2009 06:46 AM, Sumit Bose wrote: > Hi, > > this patch add the possibility to validate the credentials obtained from > a Kerberos server with a local keytab. The boolean option krb5_validate > switches the validation on and off. It is disabled by default in the > kerberos provider and enabled by default in the IPA provider. > > Typically root privileges are needed to read a keytab. As a consequence > if validation is enabled the privileges cannot be drop before starting > krb5_child, but only after reading the keytab. > > bye, > Sumit > > > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel
Nack. In the sssd-ipa manpage, I think we should change the "please note" to "Please note that this default differs from the traditional kerberos provider backend." I think that referring to the "underlying Kerberos provider" makes it unclear. In create_send_buffer(), you assign buf->size based on sizeof(int), but you're using uint32_t for the actual data. This is a waste of memory on 64-bit integer systems, and a serious error on a 16-bit integer system. (Not that we ever expect to support such a system) If you're copying in a 32-bit number, please guarantee that the space is allocated for a 32-bit number. Please add a comment in fork_child() stating why the value of KRB5_VALIDATE dictates whether to assume the user's identity. I think this is a serious error: you're only validating against the first entry in the keytab. It's possible for a keytab to have many different principals, as well as multiple enctypes for the same principal. We need to iterate through all keytab entries and test first for the principal we need to validate against and not fail until all enctypes for the sought-after principal have been tried. get_and_save_tgt(): Again a comment would be nice around become_user() noting that it was being done here after being deferred from earlier so that we can validate the TGT. General question: if we're moving where become_user() is called, will this affect our SELinux policy? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8WAoACgkQeiVVYja6o6OG+ACeL0nd8tqxwtNKqER/ukPkJc7l nHYAnAmH383bqT9y6HioBTWTh1ZQ+IQX =DYJU -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
