summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig.py1
-rwxr-xr-xsrc/config/SSSDConfigTest.py3
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf2
-rw-r--r--src/man/sssd-krb5.5.xml15
-rw-r--r--src/providers/ipa/ipa_common.c1
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/krb5/krb5_auth.h1
-rw-r--r--src/providers/krb5/krb5_child.c34
-rw-r--r--src/providers/krb5/krb5_common.c27
-rw-r--r--src/providers/krb5/krb5_common.h2
11 files changed, 26 insertions, 64 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 7b9d96c9..a05b5334 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -103,7 +103,6 @@ option_strings = {
'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"),
# [provider/krb5/chpass]
- 'krb5_changepw_principal' : _('The principal of the change password service'),
'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
# [provider/ldap]
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index ea897d71..8cbb0f91 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -739,8 +739,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
#Test looking up all provider values
options = domain.list_provider_options('krb5')
- control_list.extend(['krb5_changepw_principal',
- 'krb5_kpasswd'])
+ control_list.extend(['krb5_kpasswd'])
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 2d267bd0..ac681710 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -81,4 +81,4 @@ ldap_pwd_policy = str, None, false
[provider/ipa/access]
[provider/ipa/chpass]
-krb5_changepw_principal = str, None, false
+
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index eeb8fe13..76ef8b5b 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -12,4 +12,4 @@ krb5_validate = bool, None, false
krb5_store_password_if_offline = bool, None, false
[provider/krb5/chpass]
-krb5_changepw_principal = str, None, false
+
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index e78fd767..489a5072 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -90,21 +90,6 @@
</varlistentry>
<varlistentry>
- <term>krb5_changepw_principal (string)</term>
- <listitem>
- <para>
- The priciple of the change password service.
- If only the 'identifier/instance' part of the
- principal are given the realm part is added
- automatically.
- </para>
- <para>
- Default: kadmin/changepw
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term>krb5_kpasswd (string)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 580b66f4..3ada423e 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -121,7 +121,6 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
- { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index fe9ca541..3b40e41e 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 10
+#define IPA_KRB5_OPTS_TEST 9
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index 293375da..9dbf7c6d 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -33,7 +33,6 @@
#include "providers/krb5/krb5_common.h"
#define CCACHE_ENV_NAME "KRB5CCNAME"
-#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE"
#define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./"
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 18b7a220..b538c841 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -36,6 +36,8 @@
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
+#define SSSD_KRB5_CHANGEPW_PRINCIPLE "kadmin/changepw"
+
struct krb5_child_ctx {
/* opts taken from kinit */
/* in seconds */
@@ -63,7 +65,6 @@ struct krb5_child_ctx {
char *kdcip;
char *realm;
- char *changepw_principle;
char *ccache_dir;
char *ccname_template;
int auth_timeout;
@@ -571,6 +572,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
char *user_error_message = NULL;
size_t user_resp_len;
uint8_t *user_resp;
+ char *changepw_princ = NULL;
krb5_prompter_fct prompter = sss_krb5_prompter;
pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
@@ -581,6 +583,14 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
+ changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE,
+ kr->krb5_ctx->realm);
+ if (changepw_princ == NULL) {
+ DEBUG(1, ("talloc_asprintf failed.\n"));
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto sendresponse;
+ }
+
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
/* We do not need a password expiration warning here. */
prompter = NULL;
@@ -588,7 +598,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, prompter, kr, 0,
- kr->krb5_ctx->changepw_principle,
+ changepw_princ,
kr->options);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
@@ -702,6 +712,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
int ret;
krb5_error_code kerr = 0;
char *pass_str = NULL;
+ char *changepw_princ = NULL;
int pam_status = PAM_SYSTEM_ERR;
pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
@@ -712,6 +723,14 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
goto sendresponse;
}
+ changepw_princ = talloc_asprintf(kr, "%s@%s", SSSD_KRB5_CHANGEPW_PRINCIPLE,
+ kr->krb5_ctx->realm);
+ if (changepw_princ == NULL) {
+ DEBUG(1, ("talloc_asprintf failed.\n"));
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto sendresponse;
+ }
+
kerr = get_and_save_tgt(kr, pass_str);
/* If the password is expired the KDC will always return
@@ -721,7 +740,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
if (kerr == KRB5KDC_ERR_KEY_EXP) {
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
pass_str, sss_krb5_prompter, kr, 0,
- kr->krb5_ctx->changepw_principle,
+ changepw_princ,
kr->options);
krb5_free_cred_contents(kr->ctx, kr->creds);
if (kerr == 0) {
@@ -872,15 +891,6 @@ static int krb5_setup(struct krb5_req *kr, uint32_t offline)
goto failed;
}
- kr->krb5_ctx->changepw_principle = getenv(SSSD_KRB5_CHANGEPW_PRINCIPLE);
- if (kr->krb5_ctx->changepw_principle == NULL) {
- DEBUG(1, ("Cannot read [%s] from environment.\n",
- SSSD_KRB5_CHANGEPW_PRINCIPLE));
- if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
- goto failed;
- }
- }
-
kr->krb5_ctx->realm = getenv(SSSD_KRB5_REALM);
if (kr->krb5_ctx->realm == NULL) {
DEBUG(2, ("Cannot read [%s] from environment.\n", SSSD_KRB5_REALM));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index fbc30889..57d7b1d0 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -36,7 +36,6 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
- { "krb5_changepw_principal", DP_OPT_STRING, { "kadmin/changepw" }, NULL_STRING },
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 15 }, NULL_NUMBER },
{ "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
@@ -48,7 +47,6 @@ errno_t check_and_export_options(struct dp_option *opts,
struct sss_domain_info *dom)
{
int ret;
- char *value;
const char *realm;
const char *dummy;
@@ -90,31 +88,6 @@ errno_t check_and_export_options(struct dp_option *opts,
return EINVAL;
}
- dummy = dp_opt_get_cstring(opts, KRB5_CHANGEPW_PRINC);
- if (dummy == NULL) {
- DEBUG(1, ("Missing change password principle.\n"));
- return EINVAL;
- }
- if (strchr(dummy, '@') == NULL) {
- value = talloc_asprintf(opts, "%s@%s", dummy, realm);
- if (value == NULL) {
- DEBUG(7, ("talloc_asprintf failed.\n"));
- return ENOMEM;
- }
- ret = dp_opt_set_string(opts, KRB5_CHANGEPW_PRINC, value);
- if (ret != EOK) {
- DEBUG(1, ("dp_opt_set_string failed.\n"));
- return ret;
- }
- dummy = value;
- }
-
- ret = setenv(SSSD_KRB5_CHANGEPW_PRINCIPLE, dummy, 1);
- if (ret != EOK) {
- DEBUG(2, ("setenv %s failed, password change might fail.\n",
- SSSD_KRB5_CHANGEPW_PRINCIPLE));
- }
-
return EOK;
}
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 342481e5..f3bbbb84 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -35,7 +35,6 @@
#define SSSD_KRB5_KDC "SSSD_KRB5_KDC"
#define SSSD_KRB5_REALM "SSSD_KRB5_REALM"
-#define SSSD_KRB5_CHANGEPW_PRINCIPLE "SSSD_KRB5_CHANGEPW_PRINCIPLE"
#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -48,7 +47,6 @@ enum krb5_opts {
KRB5_REALM,
KRB5_CCACHEDIR,
KRB5_CCNAME_TMPL,
- KRB5_CHANGEPW_PRINC,
KRB5_AUTH_TIMEOUT,
KRB5_KEYTAB,
KRB5_VALIDATE,