-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2009 09:29 AM, Sumit Bose wrote: > On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: > On 11/12/2009 06:46 AM, Sumit Bose wrote: >>>> Hi, >>>> >>>> this patch add the possibility to validate the credentials obtained from >>>> a Kerberos server with a local keytab. The boolean option krb5_validate >>>> switches the validation on and off. It is disabled by default in the >>>> kerberos provider and enabled by default in the IPA provider. >>>> >>>> Typically root privileges are needed to read a keytab. As a consequence >>>> if validation is enabled the privileges cannot be drop before starting >>>> krb5_child, but only after reading the keytab. >>>> >>>> bye, >>>> Sumit >>>> >>>> >>>> >>>> _______________________________________________ >>>> sssd-devel mailing list >>>> [email protected] >>>> https://fedorahosted.org/mailman/listinfo/sssd-devel > > Nack. > > In the sssd-ipa manpage, I think we should change the "please note" to > "Please note that this default differs from the traditional kerberos > provider backend." > > I think that referring to the "underlying Kerberos provider" makes it > unclear. > >> done > > > In create_send_buffer(), you assign buf->size based on sizeof(int), but > you're using uint32_t for the actual data. This is a waste of memory on > 64-bit integer systems, and a serious error on a 16-bit integer system. > (Not that we ever expect to support such a system) If you're copying in > a 32-bit number, please guarantee that the space is allocated for a > 32-bit number. > > >> done > > Please add a comment in fork_child() stating why the value of > KRB5_VALIDATE dictates whether to assume the user's identity. > > >> done > > I think this is a serious error: you're only validating against the > first entry in the keytab. It's possible for a keytab to have many > different principals, as well as multiple enctypes for the same > principal. We need to iterate through all keytab entries and test first > for the principal we need to validate against and not fail until all > enctypes for the sought-after principal have been tried. > > >> ok, I look for the first key with a matching realm or try the last one >> in the keytab file. > > get_and_save_tgt(): Again a comment would be nice around become_user() > noting that it was being done here after being deferred from earlier so > that we can validate the TGT. > >> done > > > General question: if we're moving where become_user() is called, will > this affect our SELinux policy? > > >> I think it will not affect the policy, because the krb5_child inherits >> the SELinux labels from the parent, but I will check with Dan. > >> bye, >> Sumit >
Nack. If you're adding new options to the SSSDConfig API, please run the SSSDConfigTest.py in-tree. You need to update its expected results here because you've set an explicit default. _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel >> >> _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksEcYUACgkQeiVVYja6o6N9EwCeObdan1m+JozK/H+Wyfxu29z1 aCoAoKRPauxEQSnt9MiOmGDqcykbg8nk =jkfY -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
