Am Mon, Mar 10, 2025 at 05:44:07PM +0300 schrieb Ivan Korytov via sssd-devel: > Hello! > > I'm in middle of implementing a feature for krb5_child to include > client addresses (IP and NetBIOS) in initial Kerberos tickets and have > some questions.
Hi, thanks for your interest in SSSD. Why do you need to add some NetBIOS information? > > 1) In sssd there is already a sss_iface_addr_list_get function to get > IPv4 and IPv6 network addresses but it is in be_dyndns.c, so using it > from krb5 provider seems wrong. Do you prefer separate implementations > for different use cases (because it might change in future) or > deduplicating functionality as much as possible? It dedpends on how useful `struct sss_iface_addr` is for you. If you can use it to created the needed data for `krb5_get_init_creds_opt_set_address_list()` then it would be ideal if you can move `sss_iface_addr_list_get()` to some more general place (maybe src/util/) and use this in both places. But if you need lots of extra processing than it might be easier to call `getifaddrs()` from krb5_child and do the processing directly. > > 2) Is it safe to rely on value of ad_hostname? Do I need to use > gethostname or because ad_hostname has a default value from the same > function I can use just it and not have a duplicate failsafe? Using the value of ad_hostname is recommended since the actual hostname might different from the name known to AD for whatever reasons. > > 3) How frequently are proxy tickets used and is there a way to test > them? Afaik nobody asked about proxy ticket until now, so I guess they are not often used on the context of SSSD. There are no tests for this as well because to my knowledge SSSD should not be affected by the flag and any further usage of the TGT is up to libkrb5. > > 4) I've noticed strange behavior when changing password. Addresses are > included correctly until kpasswd request is done. After that request > get_and_save_tgt is called to obtain a new ticket for user as per usual > login. But this time addresses are not included. If I force to include > addresses again, before get_and_save_tgt in changepw_child, then they > are included. Normal login works fine and it uses same the > get_and_save_tgt function. Not sure if the answers your questions but in `make_chpw_options()` in the MIT Kerberos source code the KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST flag is unset. HTH bye, Sumit > > Could krb5_free_cred_contents somehow cleanup more than needed? IIRC > flag KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST is set, but the list becomes > empty at this stage. > > Also, some of TGT requests will include addresses though it is not > needed and I cannot trace why they would do that. > > -- > Ivan Korytov > > koryto...@basealt.ru > > -- > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
