[Pkg-freeipa-devel] Bug#1034659: Bug#1034659: Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java
Timo Aaltonen
tjaalton at debian.org
Fri Apr 21 09:19:58 BST 2023
Mathieu Baudier kirjoitti 21.4.2023 klo 10.45:
>>> Okay, so it got added to sssd due to
>>>
>>> https://github.com/SSSD/sssd/issues/5893
>>>
>>> so I wonder if ipa should stop doing the same, and remove the line
>>> from
>>> krb5.conf on upgrade.
>>
>> Seems this is filed upstream already at
>>
>> https://pagure.io/freeipa/issue/9267
>>
>> but no fix available yet, so it needs to be fixed downstream first.
>
> Ok, I had missed that it was already filed upstream.
> Actually, the issue also occurs on RHEL 9.
>
> I am well set up to test a patched Debian package if it can be helpful.
>
> As I described in the original bug report above, the workaround is
> either to delete /etc/krb5.conf.d/enable_sssd_conf_dir or to comment
> the includedir line out.
>
> It could be more robust to patch it at this level since
> /etc/krb5.conf.d/enable_sssd_conf_dir is a static file, while
> /etc/krb5.conf is modified by ipa-client-install. But on the long run,
> the upstream fix will probably be at IPA level as you suggested, so
> maybe it is safer to keep a patch there, and not to impact sssd.
Yes, the change should be in freeipa, sssd needs that for other use
cases where ipa is not involved.
--
t
More information about the Pkg-freeipa-devel
mailing list