diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2010-10-14 09:37:34 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-10-19 16:02:47 -0400 |
commit | 7051a30300d12163e890e4ec4b9a765567679a8b (patch) | |
tree | 96d9f734fef8d052a4747756b11538f18e5d261f /src/providers | |
parent | ed9d7d200bda6f5e1a177054fb483fb48c6ad54e (diff) | |
download | sssd-7051a30300d12163e890e4ec4b9a765567679a8b.tar.gz sssd-7051a30300d12163e890e4ec4b9a765567679a8b.tar.bz2 sssd-7051a30300d12163e890e4ec4b9a765567679a8b.zip |
Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip.
For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.
Fixes: #543
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ipa/ipa_common.c | 10 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.c | 45 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 3 | ||||
-rw-r--r-- | src/providers/krb5/krb5_init.c | 2 |
4 files changed, 57 insertions, 3 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 95d99de8..758bf9de 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -129,7 +129,7 @@ struct sdap_attr_map ipa_netgroup_map[] = { }; struct dp_option ipa_def_krb5_opts[] = { - { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, @@ -437,6 +437,14 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, goto done; } + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(ipa_opts, cdb, conf_path, ipa_opts->auth); + if (ret != EOK) { + DEBUG(1, ("sss_krb5_try_kdcip failed.\n")); + goto done; + } + /* set krb realm */ if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) { value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 3863acd9..81ad4e9d 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -32,7 +32,7 @@ #include "providers/krb5/krb5_common.h" struct dp_option default_krb5_opts[] = { - { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING }, { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING}, @@ -91,6 +91,41 @@ errno_t check_and_export_options(struct dp_option *opts, return EOK; } +errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option *opts) +{ + char *krb5_servers = NULL; + errno_t ret; + + krb5_servers = dp_opt_get_string(opts, KRB5_KDC); + if (krb5_servers == NULL) { + DEBUG(4, ("No KDC found in configuration, trying legacy option\n")); + ret = confdb_get_string(cdb, memctx, conf_path, + "krb5_kdcip", NULL, &krb5_servers); + if (ret != EOK) { + DEBUG(1, ("confdb_get_string failed.\n")); + return ret; + } + + if (krb5_servers != NULL) + { + ret = dp_opt_set_string(opts, KRB5_KDC, krb5_servers); + if (ret != EOK) { + DEBUG(1, ("dp_opt_set_string failed.\n")); + talloc_free(krb5_servers); + return ret; + } + + DEBUG(9, ("Set krb5 server [%s] based on legacy krb5_kdcip option\n")); + DEBUG(0, ("Your configuration uses the deprecated option 'krb5_kdcip' " + "to specify the KDC. Please change the configuration to use " + "the 'krb5_server' option instead.")); + } + } + + return EOK; +} + errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, struct dp_option **_opts) { @@ -110,6 +145,14 @@ errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, goto done; } + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(memctx, cdb, conf_path, opts); + if (ret != EOK) { + DEBUG(1, ("sss_krb5_try_kdcip failed.\n")); + goto done; + } + *_opts = opts; ret = EOK; diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 6398ea22..a8ebcf5c 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -112,6 +112,9 @@ struct remove_info_files_ctx { errno_t check_and_export_options(struct dp_option *opts, struct sss_domain_info *dom); +errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option *opts); + errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, struct dp_option **_opts); diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index c457dc55..7facdce5 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -88,7 +88,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); if (krb5_servers == NULL) { - DEBUG(1, ("Missing krb5_kdcip option, using service discovery!\n")); + DEBUG(1, ("Missing krb5_server option, using service discovery!\n")); } krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM); |