On Mon, May 13, 2013 at 04:40:44PM +0200, Jakub Hrozek wrote:
On Mon, May 13, 2013 at 04:00:55PM +0200, Sumit Bose wrote:
> Hi,
>
> this patch should fix
https://fedorahosted.org/sssd/ticket/1921 . IF
> enterprise principals are used the principal returned duing the kinit
> process will most certainly look different then the one we guess or read
> from LDAP attributes. This means we should always update our cache with
> the new value so the e.g. we can properly parse the credential cache.
>
> Initially I have seen validation failures, but currently I cannot
> reproduce them anymore.
>
> bye,
> Sumit
This works for me, but do you remember what was the reason to keep the
principal check around at all?
A member of the Security QE team confirmed that his logins were fixed as
well using this patch.
Also another thing that we mentioned last week on the SSSD meeting
was
that even with principal canonicalization the principal might change,
wouldn't that be another similar case?
Let's figure out removal of the code in due time and using a follow up
patch.
In the meantime, ack.