On (09/06/16 11:44), Sumit Bose wrote: >On Thu, Jun 09, 2016 at 11:27:54AM +0200, Lukas Slebodnik wrote: >> On (08/06/16 11:41), Jakub Hrozek wrote: >> >On Fri, Apr 22, 2016 at 04:29:36PM +0200, Sumit Bose wrote: >> >> On Fri, Apr 22, 2016 at 03:20:56PM +0200, Jakub Hrozek wrote: >> >> > On Wed, Apr 13, 2016 at 03:45:22PM +0200, Sumit Bose wrote: >> >> > > Hi, >> >> > > >> >> > > this is a bit of a follow-up patch to "subdomains: inherit >> >> > > ldap_krb5_keytab". It turned out that if the default keytab contains >> >> > > some completely unrelated keys the SASL initialization might e.g. >> >> > > pick a >> >> > > wrong realm name because the alternative keytab was only added later >> >> > > during the initialization. >> >> > > >> >> > > bye, >> >> > > Sumit >> >> > > >> >> > >> >> > How do I test this patch? I tried to set: >> >> > krb5_keytab = /tmp/another.keytab >> >> > which was just a copy of the ordinary host keytab, but then lookups of >> >> > users from trusted domains stopped working.. >> >> >> >> did you set 'subdomain_inherit = ldap_krb5_keytab' as well? >> > >> >No I didn't and that helped. With keytab moved to /tmp and >> >subdomain_inherit = ldap_krb5_keytab I was able to verify that lookups >> >for both main and child domain work. Before, the child domain lookups >> >errored out with "no ID ctx for domain..." >> > >> >ACK >> master: >> * cc4caf88344210ea9777d618f0f71935ca5e7f8b >> >> Do we want this patch also in 1.13 ? > >I think this would be useful because without it our typically >recommendation when SSSD should connect to 2 different AD forests to use >two different keytabs might fail. > OK
sssd-1-13: * c5eabcd8f2500cb563ec0381782ef695e4a1ab7c LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
