summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py9
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf1
-rw-r--r--src/man/sssd-ipa.5.xml17
-rw-r--r--src/man/sssd-krb5.5.xml15
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/krb5/krb5_child.c15
-rw-r--r--src/providers/krb5/krb5_common.c9
-rw-r--r--src/providers/krb5/krb5_common.h2
10 files changed, 68 insertions, 6 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 2d9d448c..87b1d634 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -120,6 +120,7 @@ option_strings = {
'krb5_renew_interval' : _("Time between two checks for renewal"),
'krb5_use_fast' : _("Enables FAST"),
'krb5_fast_principal' : _("Selects the principal to use for FAST"),
+ 'krb5_canonicalize' : _("Enables principal canonicalization"),
# [provider/krb5/chpass]
'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 79c18bcf..16ddfe50 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -566,7 +566,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_lifetime',
'krb5_renew_interval',
'krb5_use_fast',
- 'krb5_fast_principal'])
+ 'krb5_fast_principal',
+ 'krb5_canonicalize'])
options = domain.list_options()
@@ -719,7 +720,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_lifetime',
'krb5_renew_interval',
'krb5_use_fast',
- 'krb5_fast_principal']
+ 'krb5_fast_principal',
+ 'krb5_canonicalize']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
@@ -882,7 +884,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'krb5_lifetime',
'krb5_renew_interval',
'krb5_use_fast',
- 'krb5_fast_principal'])
+ 'krb5_fast_principal',
+ 'krb5_canonicalize'])
options = domain.list_options()
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 993763b6..c52df1a6 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -16,6 +16,7 @@ krb5_lifetime = str, None, false
krb5_renew_interval = int, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
+krb5_canonicalize = bool, None, false
[provider/krb5/access]
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index fb592792..2c1a0ed8 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -175,6 +175,23 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>krb5_canonicalize (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the host and user pricipal should be
+ canonicalized when connecting to IPA LDAP and also for AS
+ requests. This feature is available with MIT
+ Kerberos >= 1.7
+ </para>
+
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ipa_hbac_refresh (integer)</term>
<listitem>
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index d629d876..3f2f33e3 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -405,6 +405,21 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_canonicalize (boolean)</term>
+ <listitem>
+ <para>
+ Specifies if the host and user pricipal should be
+ canonicalized. This feature is available with MIT
+ Kerberos >= 1.7
+ </para>
+
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 12c0bb67..b68c72b4 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -175,7 +175,8 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }
};
int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 57591150..20074b45 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 14
+#define IPA_KRB5_OPTS_TEST 15
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index ec2251e4..fe872109 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -586,6 +586,18 @@ done:
}
+static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts)
+{
+ int canonicalize = 0;
+ char *tmp_str;
+
+ tmp_str = getenv(SSSD_KRB5_CANONICALIZE);
+ if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+ canonicalize = 1;
+ }
+ sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
+}
+
static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
krb5_principal princ,
krb5_keytab keytab,
@@ -601,6 +613,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
+ krb5_set_canonicalize(&options);
kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
&options);
@@ -1444,6 +1457,8 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
}
if (!offline) {
+ krb5_set_canonicalize(kr->options);
+
use_fast_str = getenv(SSSD_KRB5_USE_FAST);
if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) {
DEBUG(9, ("Not using FAST.\n"));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 4e792861..4675e0a1 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -45,7 +45,8 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
@@ -169,6 +170,12 @@ errno_t check_and_export_options(struct dp_option *opts,
}
}
+ if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+ setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
+ } else {
+ setenv(SSSD_KRB5_CANONICALIZE, "false", 1);
+ }
+
dummy = dp_opt_get_cstring(opts, KRB5_KDC);
if (dummy == NULL) {
DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 670fd1a5..950505f1 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -39,6 +39,7 @@
#define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME"
#define SSSD_KRB5_USE_FAST "SSSD_KRB5_USE_FAST"
#define SSSD_KRB5_FAST_PRINCIPAL "SSSD_KRB5_FAST_PRINCIPAL"
+#define SSSD_KRB5_CANONICALIZE "SSSD_KRB5_CANONICALIZE"
#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -61,6 +62,7 @@ enum krb5_opts {
KRB5_RENEW_INTERVAL,
KRB5_USE_FAST,
KRB5_FAST_PRINCIPAL,
+ KRB5_CANONICALIZE,
KRB5_OPTS
};