On Mon, Nov 21, 2016 at 07:46:13AM -0500, Stephen Gallagher wrote:
> On 11/21/2016 04:32 AM, Vít Ondruch wrote:
> >
> >
> > Dne 20.11.2016 v 02:11 Dennis Gilmore napsal(a):
> >> koji authentication will be switching to Kerberos. Koji supports multiple
> >> authentication mechanisms. Fedora infrastructure has set up a freeipa
> >> instance
> >> internally that has credential syncing to fas. We are working on ensuring
> >> that
> >> gssapi caching is supported so that you can have multiple TGT's and the
> >> ability to work in multiple reams at once.
>
>
> See my other email. I think the issue is that we are missing a krb5.conf.d
> snippet to ensure that the FEDORAPROJECT.ORG TGT is used regardless of
> whichever
> ticket happens to be the current default.
>
> >
> > BTW it would be nice, if it works with SSSD somehow and I don't need to
> > use kinit at all.
> >
> >
>
> That is being worked on. I've asked Jakub Hrozek to come talk about the
> upcoming
> SSSD KCM work (targeted for F26).
>
If you acquire the ticket through SSSD (so, log in through PAM with your
Fedora password with SSSD configured with auth_provider=krb5) then SSSD
should already be able to renew tickets for you. I haven't tested this
myself yet, though, but I will.
We're also working on a deamon to manage ccaches as described here:
http://k5wiki.kerberos.org/wiki/Projects/KCM_client
this would allow even ccaches acquired through kinit to be renewed and
hopefully solve some challenged we've seen with KEYRING ccache.
I've posted a design page for review to sssd-devel, I'll post a link
here, too, as soon as the design is reviewed by other SSSD developers.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
