On 11/21/2011 02:12 PM, Stephen Gallagher wrote:
The problem with having this updated on-the-fly is that it implies
(by
necessity) that client applications have to have privilege to change
this at whim. That means that this information cannot be used as
authoritative (since the client could very possibly be lying about
this). I think it's probably better to rely on setting it at join time
with 'net ads' and then only allow it to be changed by an administrator
later.
I do not understand. Not all applications have access, only those which have
access to the system Kerberos database (krb5.keytab).
Typically, only root (like sssd) applications have such an access and I can not imagine
why would sssd lie about this....
Can you clarify?
Ondrej