summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/man/sssd-krb5.5.xml9
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/krb5/krb5_child.c45
-rw-r--r--src/providers/krb5/krb5_common.c12
-rw-r--r--src/providers/krb5/krb5_common.h2
6 files changed, 67 insertions, 6 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 491e0442..04523c06 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -393,6 +393,15 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_fast_principal (string)</term>
+ <listitem>
+ <para>
+ Specifies the server principal to use for FAST.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 067f2ee8..61859a98 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -164,7 +164,8 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
- { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 588aa63e..5ff0ba4f 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 13
+#define IPA_KRB5_OPTS_TEST 14
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 1ed63f6b..fcd108aa 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1221,7 +1221,8 @@ done:
return krberr;
}
-static krb5_error_code check_fast_ccache(krb5_context ctx, const char *realm,
+static krb5_error_code check_fast_ccache(krb5_context ctx, const char *primary,
+ const char *realm,
const char *keytab_name,
TALLOC_CTX *mem_ctx,
char **fast_ccname)
@@ -1260,7 +1261,7 @@ static krb5_error_code check_fast_ccache(krb5_context ctx, const char *realm,
goto done;
}
- kerr = find_principal_in_keytab(ctx, keytab, NULL, realm, &client_princ);
+ kerr = find_principal_in_keytab(ctx, keytab, primary, realm, &client_princ);
if (kerr != 0) {
DEBUG(1, ("find_principal_in_keytab failed.\n"));
goto done;
@@ -1322,6 +1323,11 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
krb5_error_code kerr = 0;
char *lifetime_str;
char *use_fast_str;
+ char *tmp_str;
+ krb5_data *realm_data;
+ krb5_principal fast_princ_struct;
+ char *fast_principal = NULL;
+ const char *fast_principal_realm = NULL;
krb5_deltat lifetime;
kr->krb5_ctx = talloc_zero(kr, struct krb5_child_ctx);
@@ -1443,7 +1449,40 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
DEBUG(9, ("Not using FAST.\n"));
} else if (strcasecmp(use_fast_str, "try") == 0 ||
strcasecmp(use_fast_str, "demand") == 0) {
- kerr = check_fast_ccache(kr->ctx, kr->krb5_ctx->realm, kr->keytab,
+
+ tmp_str = getenv(SSSD_KRB5_FAST_PRINCIPAL);
+ if (!tmp_str) {
+ fast_principal = NULL;
+ fast_principal_realm = kr->krb5_ctx->realm;
+ } else {
+ kerr = krb5_parse_name(kr->ctx, tmp_str, &fast_princ_struct);
+ if (kerr) {
+ DEBUG(1, ("krb5_parse_name failed.\n"));
+ goto failed;
+ }
+ kerr = krb5_unparse_name_flags(kr->ctx, fast_princ_struct,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+ &tmp_str);
+ if (kerr) {
+ DEBUG(1, ("krb5_unparse_name_flags failed.\n"));
+ goto failed;
+ }
+ fast_principal = talloc_strdup(kr, tmp_str);
+ if (!fast_principal) {
+ DEBUG(1, ("talloc_strdup failed.\n"));
+ kerr = KRB5KRB_ERR_GENERIC;
+ goto failed;
+ }
+ free(tmp_str);
+ realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct);
+ fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data);
+ if (!fast_principal_realm) {
+ DEBUG(1, ("talloc_asprintf failed.\n"));
+ goto failed;
+ }
+ }
+
+ kerr = check_fast_ccache(kr->ctx, fast_principal, fast_principal_realm, kr->keytab,
kr, &kr->fast_ccname);
if (kerr != 0) {
DEBUG(1, ("check_fast_ccache failed.\n"));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 434fc7fb..ca37ba7d 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -44,7 +44,8 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
- { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
@@ -109,6 +110,7 @@ errno_t check_and_export_options(struct dp_option *opts,
const char *realm;
const char *dummy;
char *use_fast_str;
+ char *fast_principal;
realm = dp_opt_get_cstring(opts, KRB5_REALM);
if (realm == NULL) {
@@ -155,6 +157,14 @@ errno_t check_and_export_options(struct dp_option *opts,
ret = setenv(SSSD_KRB5_USE_FAST, use_fast_str, 1);
if (ret != EOK) {
DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_USE_FAST));
+ } else {
+ fast_principal = dp_opt_get_string(opts, KRB5_FAST_PRINCIPAL);
+ if (fast_principal != NULL) {
+ ret = setenv(SSSD_KRB5_FAST_PRINCIPAL, fast_principal, 1);
+ if (ret != EOK) {
+ DEBUG(2, ("setenv [%s] failed.\n", SSSD_KRB5_FAST_PRINCIPAL));
+ }
+ }
}
}
}
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index c65ff74b..d1a90c85 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -38,6 +38,7 @@
#define SSSD_KRB5_RENEWABLE_LIFETIME "SSSD_KRB5_RENEWABLE_LIFETIME"
#define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME"
#define SSSD_KRB5_USE_FAST "SSSD_KRB5_USE_FAST"
+#define SSSD_KRB5_FAST_PRINCIPAL "SSSD_KRB5_FAST_PRINCIPAL"
#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -59,6 +60,7 @@ enum krb5_opts {
KRB5_LIFETIME,
KRB5_RENEW_INTERVAL,
KRB5_USE_FAST,
+ KRB5_FAST_PRINCIPAL,
KRB5_OPTS
};