Bug 790104 - prefer krbcanonicalname to krbprincipalname
Summary: prefer krbcanonicalname to krbprincipalname
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-13 16:44 UTC by Dmitri Pal
Modified: 2020-05-02 16:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-24 11:22:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2206 0 None None None 2020-05-02 16:44:07 UTC

Description Dmitri Pal 2012-02-13 16:44:46 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1164

In a directory-backed KDC using the MIT schema, krbprincipalname can be multi-valued.

If a client's entry does not contain a krbcanonicalname value, then an AS request specifying any of the principal names as the client should work as well as any other -- whether the AS request contains the "canonicalize" option or not doesn't matter.  TGTs obtained in this scenario are issued using the requested client name.

However, if the client's entry also contains a krbcanonicalname value (the copy of the schema that I have says that this is single-valued), an AS request specifying a client name other than the krbcanonicalname value will only succeed if the AS request includes the "canonicalize" option.  Requests which specify the krbcanonicalname value as the client will succeed whether the "canonicalize" option is set or not.  TGTs obtained in this scenario are issued using the name which is stored in the krbcanonicalname attribute.

So I think the simplest thing to do is to also check for the presence of a krbcanonicalname attribute, and if one is found, use that in preference to any krbprincipalname attribute values when deriving the client user's principal name.
Comment 1 RHEL Program Management 2012-07-10 08:01:56 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-11 02:03:55 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 5 Martin Kosek 2015-04-24 11:22:30 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Note You need to log in before you can comment on or make changes to this bug.