diff options
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 1 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_auth.h | 1 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 14 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 12 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 2 |
5 files changed, 20 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index ece62bb8..77a51433 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,6 +300,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; + krb5_auth_ctx->is_ipa = true; ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index cf290ca0..d31925da 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -55,6 +55,7 @@ struct krb5child_req { bool valid_tgt; bool run_as_user; bool upn_from_different_realm; + bool send_pac; }; errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index cba72502..130be96b 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -53,7 +53,7 @@ struct krb5_req { char *ccname; char *keytab; bool validate; - bool upn_from_different_realm; + bool send_pac; bool use_enterprise_princ; char *fast_ccname; @@ -987,9 +987,9 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder for principals which - * do not belong to our realm. Failures are not critical. */ - if (kr->upn_from_different_realm) { + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + if (kr->send_pac) { kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, kr->creds->client, keytab, &pac_authdata); if (kerr != 0) { @@ -1551,7 +1551,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, size_t p = 0; uint32_t len; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_princ; struct pam_data *pd; errno_t ret; @@ -1573,8 +1573,8 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p); kr->validate = (validate == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p); - SAFEALIGN_COPY_UINT32_CHECK(&different_realm, buf + p, size, &p); - kr->upn_from_different_realm = (different_realm == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p); + kr->send_pac = (send_pac == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p); kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 292ba00b..161fa269 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -129,7 +129,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, size_t rp; const char *keytab; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_principal; size_t username_len = 0; errno_t ret; @@ -141,7 +141,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; - different_realm = kr->upn_from_different_realm ? 1 : 0; + + /* Always send PAC except for local IPA users */ + if (kr->krb5_ctx->is_ipa) { + send_pac = kr->upn_from_different_realm ? 1 : 0; + } else { + send_pac = 1; + } use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; @@ -184,7 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr, SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp); - SAFEALIGN_COPY_UINT32(&buf->data[rp], &different_realm, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp); SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp); SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index eb563888..501cdef1 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -129,6 +129,8 @@ struct krb5_ctx { bool use_fast; hash_table_t *wait_queue_hash; + + bool is_ipa; }; struct remove_info_files_ctx { |