On Wed, Nov 02, 2011 at 02:42:21PM +0100, Jan Zelený wrote: > > On Tue, Nov 01, 2011 at 05:11:28PM +0100, Jan Zelený wrote: > > > > On Tue, 2011-11-01 at 16:03 +0100, Jakub Hrozek wrote: > > > > > On Tue, Nov 01, 2011 at 03:44:04PM +0100, Jan Zelený wrote: > > > > > > > On Thu, Oct 20, 2011 at 10:48:08AM +0200, Jan Zelený wrote: > > > > > > > > https://fedorahosted.org/sssd/ticket/957 > > > > > > > > > > > > > > > > Jan > > > > > > > > > > > > > > Nack: > > > > > > > > > > > > > > Please fix the unittests. > > > > > > > > > > > > > > The new option needs to be added to the sss-krb5 man page. > > > > > > > > > > > > > > I think it would make sense to rebase this patch on top of > > > > > > > "[PATCH] Add krb5_fast_principal to SSSDConfig API". > > > > > > > > > > > > > > If you're staying with the env variable and not doing the command > > > > > > > line options as Sumit suggested, then it's easier and less error > > > > > > > prone to just > > > > > > > > > > > > > > check if the env variable is set to anything: > > > > > > > tmp_str = getenv(SSSD_KRB5_CANONICALIZE); > > > > > > > if (tmp_str) { > > > > > > > > > > > > > > set_canonicalize(); > > > > > > > > > > > > > > } > > > > > > > > > > > > > > Maybe it would be nicer to wrap the above in a function to avoid > > > > > > > duplication. > > > > > > > > > > > > > > Does it make sense to pass the option to the LDAP child as well? > > > > > > > > > > > > > > I'm not sure if we still plan to support old Kerberos libraries, > > > > > > > such as RHEL5 with SSSD 1.7.0+ but if we do, you also need to > > > > > > > create a wrapper around > > > > > > > krb5_get_init_creds_opt_set_canonicalize(). See > > > > > > > sss_krb5_get_init_creds_opt_set_expire_callback() for an > > > > > > > example. > > > > > > > > > > > > I'm sending corrected set of patches. Some errors were fixed in the > > > > > > first one and the second one covers support of canonicalization in > > > > > > LDAP/IPA provider for connections created in ldap_child. > > > > > > > > > > > > Jan > > > > > > > > > > As discussed on IRC, please also detect if > > > > > krb5_get_init_creds_opt_set_canonicalize() is available during > > > > > configure and create a wrapper that just returns EOK if not > > > > > available. > > > > > > > > Please also note in the manpages that this feature is only supported on > > > > Kerberos 1.? and later (I don't know offhand when it was introduced, > > > > probably 1.7). > > > > > > All done, patches attached. > > > > > > Jan > > > > Ack to patch #1. > > > > Patch #2 needs to canonicalize in other cases than FAST as well. > > Thanks for catching that, I somehow missed the FAST condition there. > > > Patch #3 needs to change dp_opt_get_string() for dp_opt_get_bool() > > otherwise the option is not read. > > Fixed > > New set of patches attached. > > Thanks > Jan
Ack to all three. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
