Hello! I'm in middle of implementing a feature for krb5_child to include client addresses (IP and NetBIOS) in initial Kerberos tickets and have some questions.
1) In sssd there is already a sss_iface_addr_list_get function to get IPv4 and IPv6 network addresses but it is in be_dyndns.c, so using it from krb5 provider seems wrong. Do you prefer separate implementations for different use cases (because it might change in future) or deduplicating functionality as much as possible? 2) Is it safe to rely on value of ad_hostname? Do I need to use gethostname or because ad_hostname has a default value from the same function I can use just it and not have a duplicate failsafe? 3) How frequently are proxy tickets used and is there a way to test them? 4) I've noticed strange behavior when changing password. Addresses are included correctly until kpasswd request is done. After that request get_and_save_tgt is called to obtain a new ticket for user as per usual login. But this time addresses are not included. If I force to include addresses again, before get_and_save_tgt in changepw_child, then they are included. Normal login works fine and it uses same the get_and_save_tgt function. Could krb5_free_cred_contents somehow cleanup more than needed? IIRC flag KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST is set, but the list becomes empty at this stage. Also, some of TGT requests will include addresses though it is not needed and I cannot trace why they would do that. -- Ivan Korytov koryto...@basealt.ru -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
