diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-24 21:39:36 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-25 14:34:42 +0200 |
commit | 695cc8754aecb3dcc3a617d86b7d4b6470af175d (patch) | |
tree | adb80f8bae1c54bf45bdb51dd898ece420452712 | |
parent | fa4a9c4afcc0c62a693034e21f33356e64735687 (diff) | |
download | sssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.tar.gz sssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.tar.bz2 sssd-695cc8754aecb3dcc3a617d86b7d4b6470af175d.zip |
krb5: do not use enterprise principals for renewals
When renewing a ticket we already know the canonical principal hence it
is not needed to expand it to an enterprise principal but we can contact
the KDC of the corresponding realm directly.
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 161fa269..1da7e4f4 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -148,8 +148,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } else { send_pac = 1; } - use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, + + if (kr->pd->cmd == SSS_CMD_RENEW) { + use_enterprise_principal = false; + } else { + use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; + } buf = talloc(kr, struct io_buffer); if (buf == NULL) { |