summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-06-24 17:25:46 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-25 14:34:39 +0200
commit48a53690ae35ef7e5690eb216c8e33140070f984 (patch)
tree5c23952fd1ac046f5ea8c9d4d8060be41218464d /src/providers/krb5
parent1de61a60ea50700ef687969b0b70d53907994255 (diff)
downloadsssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.gz
sssd-48a53690ae35ef7e5690eb216c8e33140070f984.tar.bz2
sssd-48a53690ae35ef7e5690eb216c8e33140070f984.zip
Revert "Always send the PAC to the PAC responder"
This reverts commit d153941864fe481399665be8fe583c9317194a99.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_child.c38
1 files changed, 20 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index e9fbfbea..cba72502 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -987,25 +987,27 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
goto done;
}
- /* Try to find and send the PAC to the PAC responder.
- * Failures are not critical. */
- kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
- kr->creds->client, keytab, &pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
- goto done;
- }
+ /* Try to find and send the PAC to the PAC responder for principals which
+ * do not belong to our realm. Failures are not critical. */
+ if (kr->upn_from_different_realm) {
+ kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
+ kr->creds->client, keytab, &pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
+ goto done;
+ }
- kerr = sss_send_pac(pac_authdata);
- krb5_free_authdata(kr->ctx, pac_authdata);
- if (kerr != 0) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \
- "membership for user with principal [%s] " \
- "might not be correct.\n", kr->name));
- kerr = 0;
+ kerr = sss_send_pac(pac_authdata);
+ krb5_free_authdata(kr->ctx, pac_authdata);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \
+ "membership for user with principal [%s] " \
+ "might not be correct.\n", kr->name));
+ kerr = 0;
+ }
}
done: