Skip to content

KRB5: read keytab copy in offline mode too#8671

Merged
alexey-tikhonov merged 1 commit intoSSSD:masterfrom
alexey-tikhonov:read-keytab-offline
May 11, 2026
Merged

KRB5: read keytab copy in offline mode too#8671
alexey-tikhonov merged 1 commit intoSSSD:masterfrom
alexey-tikhonov:read-keytab-offline

Conversation

@alexey-tikhonov
Copy link
Copy Markdown
Member

@alexey-tikhonov alexey-tikhonov commented May 4, 2026

The process can transition from offline pre-auth to online auth within the same invocation.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the privileged_krb5_setup function in krb5_child.c to allow keytab setup even when offline, while adding a guard to skip FAST configuration in offline mode. Feedback suggests that skipping FAST setup entirely when offline could lead to security issues or authentication failures if the process transitions to online mode later, as the FAST options would not be properly initialized.

Comment thread src/providers/krb5/krb5_child.c
@alexey-tikhonov alexey-tikhonov marked this pull request as ready for review May 6, 2026 09:52
@alexey-tikhonov
Copy link
Copy Markdown
Member Author

alexey-tikhonov commented May 6, 2026

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2464782

@alexey-tikhonov alexey-tikhonov requested a review from ikerexxe May 7, 2026 12:36
ikerexxe
ikerexxe approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

sumit-bose
sumit-bose approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thank you for the fix to solve the regression, ACK.

Nevertheless it might be good to rethink the role of krb5_child if the SSSD backend is offline.

bye,
Sumit

@sumit-bose sumit-bose added coverity Trigger a coverity scan and removed coverity Trigger a coverity scan labels May 8, 2026
@sumit-bose
Copy link
Copy Markdown
Contributor

sumit-bose commented May 8, 2026

Coverity was green.

@alexey-tikhonov @sssd-bot
KRB5: read keytab copy in offline mode too
3c569bd 
The process can transition from offline pre-auth to online auth within
the same invocation.

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
@sssd-bot
Copy link
Copy Markdown
Contributor

sssd-bot commented May 11, 2026

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / intgcheck (fedora-45) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🔴 ci / system (fedora-44) (failure)
🟢 ci / system (fedora-45) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the read-keytab-offline branch from f9effbb to 3c569bd Compare May 11, 2026 06:38
@alexey-tikhonov alexey-tikhonov merged commit b070171 into SSSD:master May 11, 2026
10 of 15 checks passed
@sssd-bot sssd-bot mentioned this pull request May 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikerexxe ikerexxe ikerexxe approved these changes

@sumit-bose sumit-bose sumit-bose approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ikerexxe ikerexxe

@sumit-bose sumit-bose

Labels

Accepted backport-to-sssd-2-13 Bugzilla

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexey-tikhonov @sumit-bose @sssd-bot @ikerexxe