Hi Andy,

yes, a patch was my original intent. I was hoping it would be easy, but after a quick skim over the code, it's not. Just trying all Credential Collections would mean to modify several initialization functions, and rework the logic a bit so a loop over all credential collections can be done with tests of authentication in between.

The more correct way, to check against the domain and from that map the correct realm, would even mean changing the XrdSecInterface if I understand correctly to pass through the domain name / endpoint, and I'd need to learn more about the Kerberos API to actually query the realm <=> domain mapping.

For all of this, I'd need a significant time just to understand the program flow and the corner cases (there are special cases when variables in principal names are evaluated etc). While I would certainly be interested, I don't have the resources (time) at the moment :sad:.

Cheers,
Oliver

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398556172","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398556172","name":"View Issue"},"description":"View this Issue on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}} {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"PERSON","message":"@olifre in #535: Hi Andy,\r\n\r\nyes, a patch was my original intent. I was hoping it would be easy, but after a quick skim over the code, it's not. Just trying all Credential Collections would mean to modify several initialization functions, and rework the logic a bit so a loop over all credential collections can be done with tests of authentication in between. \r\n\r\nThe more correct way, to check against the domain and from that map the correct realm, would even mean changing the XrdSecInterface if I understand correctly to pass through the domain name / endpoint, and I'd need to learn more about the Kerberos API to actually query the realm \u003c=\u003e domain mapping. \r\n\r\nFor all of this, I'd need a significant time just to understand the program flow and the corner cases (there are special cases when variables in principal names are evaluated etc). While I would certainly be interested, I don't have the resources (time) at the moment :sad:. \r\n\r\nCheers,\r\nOliver"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/535#issuecomment-398556172"}}} { "@type": "MessageCard", "@context": "http://schema.org/extensions", "hideOriginalBody": "false", "originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB", "title": "Re: [xrootd/xrootd] Kerberos fails with Credential Collection Cache (#535)", "sections": [ { "text": "", "activityTitle": "**Oliver Freyermuth**", "activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png", "activitySubtitle": "@olifre", "facts": [ ] } ], "potentialAction": [ { "name": "Add a comment", "@type": "ActionCard", "inputs": [ { "isMultiLine": true, "@type": "TextInput", "id": "IssueComment", "isRequired": false } ], "actions": [ { "name": "Comment", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}" } ] }, { "name": "Close issue", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"xrootd/xrootd\",\n\"issueId\": 535\n}" }, { "targets": [ { "os": "default", "uri": "https://github.com/xrootd/xrootd/issues/535#issuecomment-398556172" } ], "@type": "OpenUri", "name": "View on GitHub" }, { "name": "Unsubscribe", "@type": "HttpPOST", "target": "https://api.github.com", "body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 237419184\n}" } ], "themeColor": "26292E" }

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1