diff options
author | Sumit Bose <sbose@redhat.com> | 2013-05-28 18:32:32 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-05-31 16:16:13 +0200 |
commit | 99b2ad71169aa02846f7843d26cbe28e1e1c81fe (patch) | |
tree | b370ea651ab545624045a8fe64d00b00d251ffbc | |
parent | 577ba99b3150404533bd3d859522a2c994b17e76 (diff) | |
download | sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.gz sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.bz2 sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.zip |
Set canonicalize flag if enterprise principals are used
In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
-rw-r--r-- | src/providers/krb5/krb5_common.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index c6865c09..940cc373 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts, } } - if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) { + /* In contrast to MIT KDCs AD does not automatically canonicalize the + * enterprise principal in an AS request but requires the canonicalize + * flags to be set. To be on the safe side we always enable + * canonicalization if enterprise principals are used. */ + if (dp_opt_get_bool(opts, KRB5_CANONICALIZE) + || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) { ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1); } else { ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1); |