diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-06-24 20:59:53 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-25 14:34:39 +0200 |
| commit | fa4a9c4afcc0c62a693034e21f33356e64735687 (patch) | |
| tree | 5f396acead970d06e8ebdd9da7d3397238736072 /src/providers/krb5/krb5_child_handler.c | |
| parent | 48a53690ae35ef7e5690eb216c8e33140070f984 (diff) | |
| download | sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.gz sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.bz2 sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.zip | |
krb5: do not send pac for IPA users from the local domain
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
Diffstat (limited to 'src/providers/krb5/krb5_child_handler.c')
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 292ba00b..161fa269 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -129,7 +129,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, size_t rp; const char *keytab; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_principal; size_t username_len = 0; errno_t ret; @@ -141,7 +141,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; - different_realm = kr->upn_from_different_realm ? 1 : 0; + + /* Always send PAC except for local IPA users */ + if (kr->krb5_ctx->is_ipa) { + send_pac = kr->upn_from_different_realm ? 1 : 0; + } else { + send_pac = 1; + } use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; @@ -184,7 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &different_realm, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp); SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp); |