summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-06-24 21:39:36 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-25 14:34:42 +0200
commit695cc8754aecb3dcc3a617d86b7d4b6470af175d (patch)
treeadb80f8bae1c54bf45bdb51dd898ece420452712
parentfa4a9c4afcc0c62a693034e21f33356e64735687 (diff)
downloadsssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.tar.gz
sssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.tar.bz2
sssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.zip
krb5: do not use enterprise principals for renewals
When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly.
-rw-r--r--src/providers/krb5/krb5_child_handler.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 161fa269..1da7e4f4 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -148,8 +148,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
} else {
send_pac = 1;
}
- use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
+
+ if (kr->pd->cmd == SSS_CMD_RENEW) {
+ use_enterprise_principal = false;
+ } else {
+ use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts,
KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0;
+ }
buf = talloc(kr, struct io_buffer);
if (buf == NULL) {