Discussion:
[SSSD] [sssd PR#5450][comment] kcm: add support for kerberos tgt renewals
justin-stephenson
2021-03-15 15:26:01 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is an important consideration because if the renewal interval is too high then we could miss renewing tickets that have already expired, too low and it may add unnecessary KCM load.


I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
justin-stephenson
2021-03-17 14:55:54 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Waiting for review
alexey-tikhonov
2021-03-15 12:51:58 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

alexey-tikhonov commented:
"""
It's not sleeping, it still spins in tevent loop doing stuff which may have a negative impact on battery.
That's exactly my question: what is it doing? IIUC, it should be sleeping on `epoll()` (say 99.999% of the time)

If it actually does something useful, it means process would have to be socket activated otherwise which is much more expensive than awaking from epoll().
If it doesn't do anything usefull, then what is it doing?
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799394082
justin-stephenson
2021-03-16 19:00:36 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-03-17 14:56:02 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
I pushed a new version addressing the latest review items from Pavel. The CI failure `Details` link shows no actual files, just an empty header. Is it expected?
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-801150902
justin-stephenson
2021-03-15 15:21:47 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
justin-stephenson
2021-03-17 14:55:58 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Changes requested
pbrezina
2021-03-16 10:56:44 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Post by alexey-tikhonov
It's not sleeping, it still spins in tevent loop doing stuff which may have a negative impact on battery.
That's exactly my question: what is it doing? IIUC, it should be sleeping on `epoll()` (say 99.999% of the time)
If it actually does something useful, it means process would have to be socket activated otherwise which is much more expensive than awaking from epoll().
If it doesn't do anything usefull, then what is it doing?
epoll is just one of the tevent mechanisms, there is much more to it. It does not check only epoll, but also go into internal structures to watch for signals and to trigger timed events and tevent reqs. But lets not dive into it, I formulated my previous answer wrongly and made battery life a stronger point then I meant. If this was the reason to keep it as short lived process it is certainly something then needs to be measured.

My point was that lots of logic that Justin introduced would not be necessary.
Post by alexey-tikhonov
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is an important consideration because if the renewal interval is too high then we could miss renewing tickets that have already expired, too low and it may add unnecessary KCM load.
I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
Fair point. Let's continue with this patch set as is. Since SSSD is not currently relying that much on systemd it is probably a better choice. We can revisit this if we ever switch from monitor to systemd.


"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-800159007
justin-stephenson
2021-03-26 18:38:06 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Hi Justin,
I'm sorry it takes so long, but there are few more thinks. They are mostly minor, but one makes kcm fail to start.
These issues are addressed in the latest version.

"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-808436460
justin-stephenson
2021-03-26 18:37:18 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
pbrezina
2021-03-26 11:52:02 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Thanks a lot Pavel for the further review, it is better to get everything resolved now than having to fix issues later.
```
[root /var/log/sssd]# /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --debug-level 0xfff0
(2021-03-25 12:12:49:260824): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-03-25 12:12:49:260883): [sssd] [become_user] (0x0200): Already user [0].
(2021-03-25 12:12:49:263412): [kcm] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(2021-03-25 12:12:49): [kcm] [server_setup] (0x0040): Starting with debug level = 0xfff0
(2021-03-25 12:12:49): [kcm] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(2021-03-25 12:12:49): [kcm] [kcm_get_ccdb_be] (0x0100): KCM database type: secdb
(2021-03-25 12:12:49): [kcm] [kcm_ccdb_init] (0x0200): KCM back end: libsss_secrets
(2021-03-25 12:12:49): [kcm] [ccdb_secdb_init] (0x2000): secdb initialized
(2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [91600000]
(2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [1000]
(2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x2000): Found [2] ccache uids
(2021-03-25 12:12:49): [kcm] [renew_check_ccaches] (0x0040): Failed to get pwd entry for [91600000]
(2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x0040): Error checking ccaches in secdb
(2021-03-25 12:12:49): [kcm] [kcm_ccdb_renew_init] (0x0020): Failure to execute ccdb renewal init
(2021-03-25 12:12:49): [kcm] [kcm_process_init] (0x0010): fatal error initializing KCM ccdb renewals
(2021-03-25 12:12:49): [kcm] [kcm_responder_ctx_destructor] (0x0400): Responder is being shut down
```
Is it valid to treat renewal failures as not fatal, and return EOK from `kcm_ccdb_renew_init` instead of current behavior shown below? If not what is the preferred way to handle this?
Fail to setup renewals should be fatal. But invalid uid inside the cache is not fatal, it may happen quite easily -- user was removed from LDAP and then from SSSD cache but kdestroy was not called before the user was removed. In the future we should probably purge such ccaches.
```c
errno_t kcm_renewals_init(...)
{
#ifndef HAVE_KCM_RENEWAL
return EOK;
#else
do stuff
#endif
}
```
Can you help me understand what is the benefit of this change?
The benefit is that the logic is confined to the function and not to its caller. The current code requires #ifdefs on two places. If you move it to a separate function, you only need one #ifdef and the caller does not have to care about the support. It is not that important at this place, but it is generally a good practice. The caller should know how to call the function not when to call it.


"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-808156268
justin-stephenson
2021-03-31 12:38:38 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
pbrezina
2021-03-31 15:18:59 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Sorry, it still does not work correctly. Right now you don't continue with next user if you did not find the current. You want:

```diff
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 7591c5687..14315e01b 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -707,7 +707,7 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx,
struct passwd *pwd;
errno_t ret;

- cli_cred = talloc_zero(ev, struct cli_creds);
+ cli_cred = talloc_zero(NULL, struct cli_creds);
if (cli_cred == NULL) {
return ENOMEM;
}
@@ -716,11 +716,10 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx,
for (int i = 0; i < uid_count; i++) {
pwd = getpwuid(uids[i]);
if (pwd == NULL) {
- talloc_zfree(cli_cred);
DEBUG(SSSDBG_OP_FAILURE, "Failed to get pwd entry for [%d]\n",
uids[i]);
/* Not fatal */
- return EOK;
+ continue;
}

cli_cred->ucred.uid = pwd->pw_uid;
@@ -728,16 +727,14 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx,

ret = secdb_container_url_req(state, sctx, cli_cred, &sreq);
if (ret != EOK) {
- talloc_zfree(cli_cred);
- return EINVAL;
+ goto done;
}

ret = sss_sec_list(state, sreq, &keys, &nkeys);
if (ret == ENOENT) {
nkeys = 0;
} else if (ret != EOK) {
- talloc_zfree(cli_cred);
- return EINVAL;
+ goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, "Found [%zu] ccaches under uid [%u]\n",
nkeys, uids[i]);
@@ -746,14 +743,16 @@ static errno_t renew_check_ccaches(struct krb5_ctx *krb5_ctx,
for (size_t j = 0; j < nkeys; j++) {
ret = renew_check_creds(krb5_ctx, state, sctx, cli_cred, keys[j]);
if (ret != EOK && ret != ENOENT) {
- talloc_zfree(cli_cred);
DEBUG(SSSDBG_OP_FAILURE, "Failed to check credentials\n");
- return EINVAL;
+ goto done;
}
}
}

- return EOK;
+done:
+ talloc_free(cli_cred);
+
+ return ret;
}

static errno_t ccdb_secdb_renew_init(struct krb5_ctx *krb5_ctx,
```

Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811141452
justin-stephenson
2021-03-31 15:22:57 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, ``add_tgt_to_renew_table`` uses the hash table. Is it better to just use an array of ``renew_data`` structures? ``kcm_renew_all_tgts`` is where we retrieve the hash table entries to check for renewals.

"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811149203
justin-stephenson
2021-03-31 15:26:27 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, ``add_tgt_to_renew_table`` uses the hash table. Is it better to just use an array of ``renew_data`` structures? ``kcm_renew_all_tgts`` is where we retrieve the hash table entries to check for renewals.

"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811149203
justin-stephenson
2021-03-26 18:30:17 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
pbrezina
2021-04-01 09:03:42 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Post by pbrezina
Also what do we need the renew hash table for? I don't see where you take advantage of it? You always call `kcm_ccdb_renew_init` from `kcm_renew_tgt_timer_handler` so you always iterate over all cached credentials before you attempt to renew it. What was the intention here?
i was using krb5 renewals as a starting point for my code, `add_tgt_to_renew_table` uses the hash table. Is it better to just use an array of `renew_data` structures? `kcm_renew_all_tgts` is where we retrieve the hash table entries to check for renewals.
In this case the hash table is completely redundant. I think we have two options:

1. Keep the hash table. But in this case it would be better to maintain it from store/init/destroy/remove operations instead of populating it just before the refresh.
2. Drop the hash table and make the code much more straightforward. You don't need to renew_init on process start but only from the timer. You just want to iterate over all ccaches and find renewable tgts in the timer handler. (I favor this as long as there won't be performance issues since it is much easier)

In both cases, you'll probably end up with renew_init unneeded and you will gain support for all backends not just ccdb.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811766398
justin-stephenson
2021-04-01 13:23:06 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
1. Keep the hash table. But in this case it would be better to maintain it from store/init/destroy/remove operations instead of populating it just before the refresh.
2. Drop the hash table and make the code much more straightforward. You don't need to renew_init on process start but only from the timer. You just want to iterate over all ccaches and find renewable tgts in the timer handler. (I favor this as long as there won't be performance issues since it is much easier)
In both cases, you'll probably end up with renew_init unneeded and you will gain support for all backends not just ccdb.
Thank you, I will work on revising the PR for option 2. Just for information I am out on PTO starting April 2nd and returning April 12th.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-811904597
pbrezina
2021-04-13 11:39:51 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Changes requested
pbrezina
2021-04-13 11:39:55 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Waiting for review
justin-stephenson
2021-05-04 19:27:44 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-05 00:41:55 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-05 17:03:28 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-05 18:50:37 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-05 23:59:18 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-07 01:52:48 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
pbrezina
2021-05-07 10:51:50 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* https://github.com/SSSD/sssd/pull/5610/commits/c556e2543148792e05f435d25458f5309be74838
* https://github.com/SSSD/sssd/pull/5610/commits/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834263041
justin-stephenson
2021-05-07 12:46:25 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838)
* [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)
Should `:feature:` be added to all commits? Or just the main one implementing the feature
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834346883
pbrezina
2021-05-07 12:49:25 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Post by justin-stephenson
Post by pbrezina
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
```
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838)
* [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)
```
Should `:feature:` be added to all commits? Or just the main one implementing the feature
Just once. Each release note should be there only once.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834349605
justin-stephenson
2021-05-07 14:07:38 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-07 14:07:49 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
And one more thing - add [release notes](https://github.com/SSSD/sssd/blob/master/.git-commit-template#L7) and upstream ticket to the commit messages, e.g.
* [c556e25](https://github.com/SSSD/sssd/commit/c556e2543148792e05f435d25458f5309be74838)
* [3973e3f](https://github.com/SSSD/sssd/commit/3973e3f231dbe4c344ded9d4fdbf3effd3ae32be)
Done, please check it.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834431969
justin-stephenson
2021-05-07 14:13:32 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Changes requested
justin-stephenson
2021-05-07 14:13:36 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Waiting for review
pbrezina
2021-05-07 16:59:10 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Thank you for your patience, last two nitpick in code and we can push.

And perhaps different wording for the release notes (fill in the version):
```
:feature: Added support for automatic renewal of renewable TGTs that are stored in
KCM ccache. This can be enabled by setting `tgt_renewal = true`. See the sssd-kcm man page for
more details. This feature requires MIT Kerberos X.Y.Z
```
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834622746
justin-stephenson
2021-05-07 17:56:13 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450
justin-stephenson
2021-05-07 17:59:11 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

justin-stephenson commented:
"""
Post by pbrezina
Thank you for your patience, last two nitpick in code and we can push.
```
:feature: Added support for automatic renewal of renewable TGTs that are stored in
KCM ccache. This can be enabled by setting `tgt_renewal = true`. See the sssd-kcm man page for
more details. This feature requires MIT Kerberos X.Y.Z
```
Fixed and pushed, not sure if ``MIT Kerberos krb5-1.19-0.beta2.3 or higher.`` is the correct wording however.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-834658385
pbrezina
2021-05-10 10:27:44 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Thank you. Ack.
"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-836525263
pbrezina
2021-05-10 10:27:57 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Waiting for review
pbrezina
2021-05-10 10:27:59 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Ready to push
pbrezina
2021-05-10 10:28:01 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Accepted
pbrezina
2021-05-10 12:54:10 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5450

* `master`
* ec932d35172819ac68343355faaad4dc6ffae688 - KCM: Disable responder idle timeout with renewals
* ddcedbf3bc6b267d40d8a7edcb65f8d61ec13dd1 - KCM: Conditionally build KCM renewals support
* 0202eb53ab18b5eeac53fc96bf5e0569276e3767 - INTG: Add KCM Renewal integration test
* a55405b3edd6312a5e39567e4bdde5522ffc6a0a - TESTS: Add kcm_renewals unit test
* 1dc3c33c8d2f4ca4a41b186746c44f74510c2f38 - SECRETS: Don't hardcode SECRETS_DB_PATH
* 599f0ad056dc8fc052395d5abe0e110e4e68a886 - KCM: Prepare and execute renewals
* 993b66d48d555c59e619d7ef3b494248a82587ac - KCM: Read and set KCM renewal and krb5 options

"""

See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-836663582
pbrezina
2021-05-10 12:54:15 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: +Pushed
pbrezina
2021-05-10 12:54:18 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Accepted
pbrezina
2021-05-10 12:54:21 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals

Label: -Ready to push
pbrezina
2021-05-10 12:54:23 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5450
Author: justin-stephenson
Title: #5450: kcm: add support for kerberos tgt renewals
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5450/head:pr5450
git checkout pr5450

Loading...