diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-26 16:23:32 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-26 23:37:33 +0200 |
commit | ba95f1c434b430f0db7fddbd865af10488ecab17 (patch) | |
tree | 09f0635b58095622e417faee4d672d27c1d04a8e | |
parent | d66195c1d8e1bc808b4e117904d149276e139b61 (diff) | |
download | sssd-ba95f1c434b430f0db7fddbd865af10488ecab17.tar.gz sssd-ba95f1c434b430f0db7fddbd865af10488ecab17.tar.bz2 sssd-ba95f1c434b430f0db7fddbd865af10488ecab17.zip |
AD: kinit with the local DC even when talking to a GC
We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".
This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
-rw-r--r-- | src/providers/ad/ad_common.c | 22 | ||||
-rw-r--r-- | src/providers/ad/ad_common.h | 3 |
2 files changed, 21 insertions, 4 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index d53acf9e..b0669120 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -189,7 +189,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx, } sdata->gc = true; - ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "gc", + ret = be_fo_add_srv_server(bectx, AD_GC_SERVICE_NAME, "gc", ad_domain, BE_FO_PROTO_TCP, false, sdata); if (ret != EOK) { @@ -339,7 +339,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, } service->sdap->name = talloc_strdup(service->sdap, AD_SERVICE_NAME); - service->gc->name = talloc_strdup(service->gc, AD_SERVICE_NAME); + service->gc->name = talloc_strdup(service->gc, AD_GC_SERVICE_NAME); if (!service->sdap->name || !service->gc->name) { ret = ENOMEM; goto done; @@ -357,6 +357,12 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, goto done; } + ret = be_fo_add_service(bectx, AD_GC_SERVICE_NAME, ad_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create GC failover service!\n")); + goto done; + } + service->krb5_service->name = talloc_strdup(service->krb5_service, AD_SERVICE_NAME); if (!service->krb5_service->name) { @@ -413,6 +419,14 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, goto done; } + ret = be_fo_service_add_callback(mem_ctx, bectx, AD_GC_SERVICE_NAME, + ad_resolve_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + ("Failed to add failover callback! [%s]\n", strerror(ret))); + goto done; + } + *_service = talloc_steal(mem_ctx, service); ret = EOK; @@ -531,7 +545,9 @@ ad_resolve_callback(void *private_data, struct fo_server *server) goto done; } - if (service->krb5_service->write_kdcinfo) { + /* Only write kdcinfo files for local servers */ + if ((sdata == NULL || sdata->gc == false) && + service->krb5_service->write_kdcinfo) { /* Write krb5 info files */ safe_address = sss_escape_ip_address(tmp_ctx, srvaddr->family, diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 1503059e..500f49c7 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -26,7 +26,8 @@ #include "util/util.h" #include "providers/ldap/ldap_common.h" -#define AD_SERVICE_NAME "AD" +#define AD_SERVICE_NAME "AD" +#define AD_GC_SERVICE_NAME "AD_GC" /* The port the Global Catalog runs on */ #define AD_GC_PORT 3268 |