diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-24 17:25:46 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-25 14:34:39 +0200 |
commit | 48a53690ae35ef7e5690eb216c8e33140070f984 (patch) | |
tree | 5c23952fd1ac046f5ea8c9d4d8060be41218464d /src/providers/krb5 | |
parent | 1de61a60ea50700ef687969b0b70d53907994255 (diff) | |
download | sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.gz sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.bz2 sssd-48a53690ae35ef7e5690eb216c8e33140070f984.zip |
Revert "Always send the PAC to the PAC responder"
This reverts commit d153941864fe481399665be8fe583c9317194a99.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e9fbfbea..cba72502 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder. - * Failures are not critical. */ - kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, - kr->creds->client, keytab, &pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - goto done; - } + /* Try to find and send the PAC to the PAC responder for principals which + * do not belong to our realm. Failures are not critical. */ + if (kr->upn_from_different_realm) { + kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, + kr->creds->client, keytab, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + goto done; + } - kerr = sss_send_pac(pac_authdata); - krb5_free_authdata(kr->ctx, pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; + kerr = sss_send_pac(pac_authdata); + krb5_free_authdata(kr->ctx, pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + } } done: |