On Thu, Jun 09, 2016 at 11:27:54AM +0200, Lukas Slebodnik wrote: > On (08/06/16 11:41), Jakub Hrozek wrote: > >On Fri, Apr 22, 2016 at 04:29:36PM +0200, Sumit Bose wrote: > >> On Fri, Apr 22, 2016 at 03:20:56PM +0200, Jakub Hrozek wrote: > >> > On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote: > >> > > Hi, > >> > > > >> > > this is a bit of a follow-up patch to "subdomains: inherit > >> > > ldap_krb5_keytab". It turned out that if the default keytab contains > >> > > some completely unrelated keys the SASL initialization might e.g. pick > >> > > a > >> > > wrong realm name because the alternative keytab was only added later > >> > > during the initialization. > >> > > > >> > > bye, > >> > > Sumit > >> > > > >> > > >> > How do I test this patch? I tried to set: > >> > krb5_keytab = /tmp/another.keytab > >> > which was just a copy of the ordinary host keytab, but then lookups of > >> > users from trusted domains stopped working.. > >> > >> did you set 'subdomain_inherit = ldap_krb5_keytab' as well? > > > >No I didn't and that helped. With keytab moved to /tmp and > >subdomain_inherit = ldap_krb5_keytab I was able to verify that lookups > >for both main and child domain work. Before, the child domain lookups > >errored out with "no ID ctx for domain..." > > > >ACK > master: > * cc4caf88344210ea9777d618f0f71935ca5e7f8b > > Do we want this patch also in 1.13 ?
I think this would be useful because without it our typically recommendation when SSSD should connect to 2 different AD forests to use two different keytabs might fail. bye, Sumit > > LS > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
