URL: https://github.com/SSSD/sssd/pull/438 Title: #438: krb5_child: Distinguish between expired & disabled AD user
sumit-bose commented: """ The patch works as expected for me. The backend returns PAM_PERM_DENIED or PAM_ACCT_EXPIRED depending if the account is disabled or expired. Since there is the workaround with a shell wrapper I agree that it is currently not needed to add an option to switch between the two modes. But I wonder if we might want to enable it for IPA? There is no need to enable it globally for IPA. In create_send_buffer() there is already some special handling for K5C_IPA_CLIENT and K5C_IPA_SERVER. Additionally kr->upn_from_different_realm can be used to check if the principal is from a different realm. What do you think? Btw, a small rebase is needed as well. """ See the full comment at https://github.com/SSSD/sssd/pull/438#issuecomment-360128968
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
