summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-05-28 18:32:32 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-31 16:16:13 +0200
commit99b2ad71169aa02846f7843d26cbe28e1e1c81fe (patch)
treeb370ea651ab545624045a8fe64d00b00d251ffbc
parent577ba99b3150404533bd3d859522a2c994b17e76 (diff)
downloadsssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.gz
sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.bz2
sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.zip
Set canonicalize flag if enterprise principals are used
In contrast to MIT KDCs AD does not automatically canonicalize the enterprise principal in an AS request but requires the canonicalize flags to be set. To be on the safe side we always enable canonicalization if enterprise principals are used.
-rw-r--r--src/providers/krb5/krb5_common.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c6865c09..940cc373 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts,
}
}
- if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+ /* In contrast to MIT KDCs AD does not automatically canonicalize the
+ * enterprise principal in an AS request but requires the canonicalize
+ * flags to be set. To be on the safe side we always enable
+ * canonicalization if enterprise principals are used. */
+ if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)
+ || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) {
ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
} else {
ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1);