Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a): > On Mon, 12 Dec 2016 10:53:39 +0100 > Vít Ondruch <vondruch@xxxxxxxxxx> wrote: > >> So several questions: >> >> 1) When I have 2 domains I login to with kerberos, how to really make >> it work. I don't want to kswitch all the time. I am using Kerberos to >> authenticate my email client, so I want to keep it working all the >> time. > Fedora should work just fine with other domains. It doesn't need to be > the primary. > >> 2) I needed to update a certificate every 6 months, now I need to >> kinit every day. This is regression. How to make it work without >> kinit at all. I am using SSSD for company kerberos and I don't need >> to kinit at all, how to make this work for Fedora? > I really wish people would stop using that word. > https://ohjeezlinux.wordpress.com/2013/01/03/new-rule-about-regressions/ > > Anyhow, this is just a change in behavior that you don't like. Come on? Am I the only one? Overall, I think it is good idea to use kerberos, but the implementation sucks so far TBH. > > First, I'll note you don't need to get a new ticket every day, you can > just renew with 'kinit -R'. Not sure what is the difference here, may be you want to explain. > I am not sure what env kinit needs, but you > may even be able to do this from a cron job. That will work for 1 week. Again, you imply some additional settings on me. There were not needed so far. I needed to call "fedora-packager-setup" every six months, that was it. BTW you don't mention if the "fedora-packager-setup" is useful for something ATM. > > As sgallagh noted downthread, gnome online accounts will hopefully > handle this for you soon as soon as that one bug is fixed. That should be fixed prior such changes are pushed. If it is not, there should be at least somebody pushing this forward. > > > Finally, I'll note that these tickets are more powerfull than the old > certs. The certs controlled authentication to just koji and uploads, > while tickets allow you to login to almost all our web apps as well. Once again, you make it sound like I dislike kerberos and hate this feature. But quite contrary, I believe that this is step in the right direction and I appreciate this change in general. Unfortunately, current status is far from ideal and the experience is worse then it used to be. Vít
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
