summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-05-28 18:32:32 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-05-31 16:16:13 +0200
commit99b2ad71169aa02846f7843d26cbe28e1e1c81fe (patch)
treeb370ea651ab545624045a8fe64d00b00d251ffbc /src/providers
parent577ba99b3150404533bd3d859522a2c994b17e76 (diff)
downloadsssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.gz
sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.tar.bz2
sssd-99b2ad71169aa02846f7843d26cbe28e1e1c81fe.zip
Set canonicalize flag if enterprise principals are used
In contrast to MIT KDCs AD does not automatically canonicalize the enterprise principal in an AS request but requires the canonicalize flags to be set. To be on the safe side we always enable canonicalization if enterprise principals are used.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_common.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c6865c09..940cc373 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts,
}
}
- if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+ /* In contrast to MIT KDCs AD does not automatically canonicalize the
+ * enterprise principal in an AS request but requires the canonicalize
+ * flags to be set. To be on the safe side we always enable
+ * canonicalization if enterprise principals are used. */
+ if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)
+ || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) {
ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
} else {
ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1);