summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-06-26 16:23:32 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-26 23:37:33 +0200
commitba95f1c434b430f0db7fddbd865af10488ecab17 (patch)
tree09f0635b58095622e417faee4d672d27c1d04a8e /src
parentd66195c1d8e1bc808b4e117904d149276e139b61 (diff)
downloadsssd-ba95f1c434b430f0db7fddbd865af10488ecab17.tar.gz
sssd-ba95f1c434b430f0db7fddbd865af10488ecab17.tar.bz2
sssd-ba95f1c434b430f0db7fddbd865af10488ecab17.zip
AD: kinit with the local DC even when talking to a GC
We tried to use the GC address even for kinit which gave us errors like: "Realm not local to KDC while getting initial credentials". This patch adds a new AD_GC service that is only used for ID lookups, any sort of Kerberos operations are done against the local servers.
Diffstat (limited to 'src')
-rw-r--r--src/providers/ad/ad_common.c22
-rw-r--r--src/providers/ad/ad_common.h3
2 files changed, 21 insertions, 4 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index d53acf9e..b0669120 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -189,7 +189,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx,
}
sdata->gc = true;
- ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "gc",
+ ret = be_fo_add_srv_server(bectx, AD_GC_SERVICE_NAME, "gc",
ad_domain, BE_FO_PROTO_TCP,
false, sdata);
if (ret != EOK) {
@@ -339,7 +339,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
}
service->sdap->name = talloc_strdup(service->sdap, AD_SERVICE_NAME);
- service->gc->name = talloc_strdup(service->gc, AD_SERVICE_NAME);
+ service->gc->name = talloc_strdup(service->gc, AD_GC_SERVICE_NAME);
if (!service->sdap->name || !service->gc->name) {
ret = ENOMEM;
goto done;
@@ -357,6 +357,12 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
goto done;
}
+ ret = be_fo_add_service(bectx, AD_GC_SERVICE_NAME, ad_user_data_cmp);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create GC failover service!\n"));
+ goto done;
+ }
+
service->krb5_service->name = talloc_strdup(service->krb5_service,
AD_SERVICE_NAME);
if (!service->krb5_service->name) {
@@ -413,6 +419,14 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
goto done;
}
+ ret = be_fo_service_add_callback(mem_ctx, bectx, AD_GC_SERVICE_NAME,
+ ad_resolve_callback, service);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("Failed to add failover callback! [%s]\n", strerror(ret)));
+ goto done;
+ }
+
*_service = talloc_steal(mem_ctx, service);
ret = EOK;
@@ -531,7 +545,9 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
goto done;
}
- if (service->krb5_service->write_kdcinfo) {
+ /* Only write kdcinfo files for local servers */
+ if ((sdata == NULL || sdata->gc == false) &&
+ service->krb5_service->write_kdcinfo) {
/* Write krb5 info files */
safe_address = sss_escape_ip_address(tmp_ctx,
srvaddr->family,
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 1503059e..500f49c7 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -26,7 +26,8 @@
#include "util/util.h"
#include "providers/ldap/ldap_common.h"
-#define AD_SERVICE_NAME "AD"
+#define AD_SERVICE_NAME "AD"
+#define AD_GC_SERVICE_NAME "AD_GC"
/* The port the Global Catalog runs on */
#define AD_GC_PORT 3268