summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-06-05 13:06:08 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-06 23:58:57 +0200
commitd153941864fe481399665be8fe583c9317194a99 (patch)
tree72a552e9807ce15e3f52b3816636dcc514c34493 /src/providers/krb5
parent154e62fc712f4c994fbc684386302edca277a99a (diff)
downloadsssd-d153941864fe481399665be8fe583c9317194a99.tar.gz
sssd-d153941864fe481399665be8fe583c9317194a99.tar.bz2
sssd-d153941864fe481399665be8fe583c9317194a99.zip
Always send the PAC to the PAC responder
Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_child.c38
1 files changed, 18 insertions, 20 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 4626f59f..8f746a8d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -987,27 +987,25 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
goto done;
}
- /* Try to find and send the PAC to the PAC responder for principals which
- * do not belong to our realm. Failures are not critical. */
- if (kr->upn_from_different_realm) {
- kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
- kr->creds->client, keytab, &pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
- goto done;
- }
+ /* Try to find and send the PAC to the PAC responder.
+ * Failures are not critical. */
+ kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
+ kr->creds->client, keytab, &pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
+ goto done;
+ }
- kerr = sss_send_pac(pac_authdata);
- krb5_free_authdata(kr->ctx, pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
- }
+ kerr = sss_send_pac(pac_authdata);
+ krb5_free_authdata(kr->ctx, pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
}
done: