[PATCHES] site-aware Kerberos authentication during domain join
Alexander Bokovoy
ab at samba.org
Thu Jun 16 18:51:05 UTC 2016
On Thu, 16 Jun 2016, Jeremy Allison wrote:
> On Wed, Jun 15, 2016 at 07:27:47PM +0300, Alexander Bokovoy wrote:
> > On Wed, 15 Jun 2016, Alexander Bokovoy wrote:
> > > On Tue, 14 Jun 2016, Jeremy Allison wrote:
> > > > On Tue, Jun 14, 2016 at 10:50:28PM +0300, Alexander Bokovoy wrote:
> > > > > On Mon, 07 Mar 2016, Jeremy Allison wrote:
> > > > > > On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > Attached please find a fix for
> > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=11769.
> > > > > > >
> > > > > > > The bug description explains why this may be important.
> > > > > > >
> > > > > > > The fix enables site-aware Kerberos during execution of "net ads
> > > > > > > join -k", even if winbindd is not started (so the locator cannot be
> > > > > > > used).
> > > > > > >
> > > > > > > This works only if the user specified the domain's DNS name (which
> > > > > > > is assumed to be equal to the Kerberos realm). If the user didn't
> > > > > > > specify it (e.g. only specified flat domain name or server to use),
> > > > > > > we need to securely contact a DC to determine the domain's DNS name,
> > > > > > > so we cannot pre-configure Kerberos.
> > > > > > >
> > > > > > > Review appreciated.
> > > > > >
> > > > > > LGTM. Pushed ! Thanks.
> > > > > I think this is not enough. We don't use discovered site name later in
> > > > > the process as private krb5.conf will be rewritten after the call to
> > > > > libnet_join_check_config.
> > > > >
> > > > > Attached patch makes sure we pass sitename to the new krb5.conf.
> > > >
> > > > LGTM. Pushed.
> > > Thanks.
> > >
> > > > Alexander can you review the two attached patchset ? They pass
> > > > local make test (and even have regression tests :-).
> > > I'll look at them today. The patchsets look OK but as this is something
> > > I rarely worked on, I need more time.
> > Got successfully through the local autobuild. Still going through the
> > code.
>
> Ping Alexander - if you don't get this done before you get
> on the plane, I'll bug you about it Monday morning at the
> pugfest :-).
I'll have 12+ hours of uninterrupted review time also known as 'The
Flight' ;)
See you on Monday!
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list