Learn more about these different git repos.
Other Git URLs
Often with AD a Kerberos host keytab is needed to bind with SASL/GSSAPI for LDAP operations. On many sites security policies do not allow never-expiring passwords so the keytab needs to renewed eventually, currently requiring manual steps to obtain a new keytab.
SSSD should support automated renewal of Kerberos host keytabs as Samba/Winbind does.
I suggest putting this into deferred or close it, since it is being planned as an independent project. This project should be completed within a year.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.0
blockedby: => blocking: => milestone: SSSD 1.9.0 => SSSD Kerberos improvements
rhbz: => 0
feature_milestone: => proposed_priority: => Core
rhbz: 0 => todo summary: RFE: Support Automatic Renewing of Kerberos Host Keytabs => [RFE] Support Automatic Renewing of Kerberos Host Keytabs
Moving all the features planned for 1.10 release into 1.10 beta.
milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta
priority: major => critical
Couple notes though based on the discussion we had about Ondrej's project
1. The code of the project should be integrated into the SSSD code base 2. Instead of threads it should follow the same tevent style as everything else 3. It should work against MIT KDC, IPA or AD. To do that it should use kerberos protocol rather than an LDAP extended operation.
Please add if I missed something.
Also See https://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx?Redirected=true for more details.
cc: => okos
Additional comments based on my notes:
One other use case came up on the list: https://www.redhat.com/archives/freeipa-devel/2012-September/msg00279.html
It should be possible to point SSSD to a keytab that is for the service and not for the host. SSSD should be able to rotate it even if it is not configured for other uses. Effectively this means that this functionality should be treated as a separately installable RPM.
Also when the keytab is rotated we should probably restart GSS proxy if it is configured and running.
owner: somebody => okos status: new => assigned
design: => design_review: => 0 fedora_test_page: => selected: => May
priority: critical => major
Also needs to keep the previous keytabs
review: => 1
milestone: SSSD 1.10 beta => SSSD 1.11 beta
owner: okos => somebody status: assigned => new
changelog: => milestone: SSSD 1.12 beta => Interim Bucket
milestone: Interim Bucket => SSSD 1.12 beta
milestone: SSSD 1.12 beta => SSSD 1.13 beta
mark: => 0
Still makes sense, but still out of scope..
milestone: SSSD 1.13 beta => SSSD 1.13 backlog
In ticket #2220, Sumit proposed using msktutil for that:
msktutil https://code.google.com/p/msktutil/ is a tool for manage keytabs and computer accounts from AD. We might want to integrate it for keytab renewals like we use nsupdate for dynamic DNS updates.
Mass-moving tickets not planned for the 1.13 release to 1.14
milestone: SSSD 1.13 backlog => SSSD 1.14 beta
Looks like development is currently happening on sourceforge http://sourceforge.net/projects/msktutil/ .
I created a copr repo with a recent version of msktutil at https://copr.fedoraproject.org/coprs/sbose/msktutil/ .
sensitive: => 0
cc: okos => milestone: SSSD 1.14 beta => SSSD 1.13.4 owner: somebody => sbose
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1290761
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1290761 1290761]
patch: 0 => 1
resolution: => fixed status: new => closed
Metadata Update from @myllynen: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2083
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.