diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-07 11:28:35 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-10 21:03:01 +0200 |
| commit | 14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch) | |
| tree | 5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/ad | |
| parent | 7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff) | |
| download | sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.bz2 sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip | |
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
Diffstat (limited to 'src/providers/ad')
| -rw-r--r-- | src/providers/ad/ad_common.c | 39 | ||||
| -rw-r--r-- | src/providers/ad/ad_opts.h | 2 |
2 files changed, 27 insertions, 14 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index ea124d96..1aad85de 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server) goto done; } - /* Write krb5 info files */ - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); - ret = ENOMEM; - goto done; - } + if (service->krb5_service->write_kdcinfo) { + /* Write krb5 info files */ + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); + ret = ENOMEM; + goto done; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("write_krb5info_file failed, authentication might fail.\n")); + } } ret = EOK; @@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, krb5_options[KRB5_REALM].opt_name, krb5_realm)); + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ad_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ad_opts->auth[KRB5_USE_KDCINFO].opt_name, + ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = talloc_steal(mem_ctx, krb5_options); ret = EOK; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 218614dc..ba03c232 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; |