| Summary: | [RFE] Add option to select validate and FAST keytab principal name | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, kbanerje, prc, sgallagh |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.8.0-2.el6.beta2 | Doc Type: | Enhancement |
| Doc Text: |
No documentation required
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:49:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** Bug 785876 has been marked as a duplicate of this bug. *** Verified in version 1.8.0-25 Tested following scenarios: 1. krb5_fast_principal = <valid principal> & krb5_realm = EXAMPLE.COM Result: krb5 auth succeeds and krb5_child.log shows "Principal matched to the sample (<valid principal>@EXAMPLE.COM)" 2. krb5_fast_principal = <invalid principal> & krb5_realm = EXAMPLE.COM Result: krb5 auth fails and krb5_child.log shows "No principal matching (<invalid principal>@EXAMPLE.COM)" 3. krb5_fast_principal = principal & krb5_realm = EXAMPLE.COM Result: krb5_child.log shows "Trying to find principal principal in keytab"
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation required
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |
Description of problem: We should default to using a keytab entry with the domain's Kerberos realm, but it should be possible to configure it to use a specific principal (possibly of another, trusted realm) for validation and setup of a FAST tunnel. Assuming these are the options that were added ... krb5_use_fast (string) Enables flexible authentication secure tunneling (FAST) for Kerberos pre-authentication. The following options are supported: never use FAST, this is equivalent to not set this option at all. try to use FAST, if the server does not support fast continue without. demand to use FAST, fail if the server does not require fast. Default: not set, i.e. FAST is not used. Please note that a keytab is required to use fast. Please note also that sssd supports fast only with MIT Kerberos version 1.8 and above. If sssd used with an older version using this option is a configuration error. krb5_fast_principal (string) Specifies the server principal to use for FAST. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Upstream ticket :: https://fedorahosted.org/sssd/ticket/700