ipa_server_mode: write capaths to krb5 include file

If there are member domains in a trusted forest which are DNS-wise not
proper children of the forest root the IPA KDC needs some help to
determine the right authentication path. In general this should be done
internally by the IPA KDC but this works requires more effort than
letting sssd write the needed data to the include file for krb5.conf.
If this functionality is available for the IPA KDC this patch might be
removed from the sssd tree.

Fixes https://fedorahosted.org/sssd/ticket/2093

2 files changed, 4 insertions, 2 deletions

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index e8345ae5..f6d2eb81 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -482,7 +482,7 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req)
             goto done;
         }
 
-        ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain);
+        ret = sss_write_domain_mappings(ctx->sd_ctx->be_ctx->domain, false);
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE,
                   ("sss_krb5_write_mappings failed.\n"));
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 03b780d6..ab0fdf65 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -932,7 +932,9 @@ static void ipa_subdomains_handler_done(struct tevent_req *req)
             goto done;
         }
 
-        ret = sss_write_domain_mappings(domain);
+        ret = sss_write_domain_mappings(domain,
+                        dp_opt_get_bool(ctx->sd_ctx->id_ctx->ipa_options->basic,
+                        IPA_SERVER_MODE));
         if (ret != EOK) {
             DEBUG(SSSDBG_MINOR_FAILURE,
                   ("sss_krb5_write_mappings failed.\n"));