diff options
Diffstat (limited to 'server')
| -rw-r--r-- | server/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | server/man/sssd-krb5.5.xml | 30 | ||||
| -rw-r--r-- | server/providers/krb5/krb5_auth.c | 9 | ||||
| -rw-r--r-- | server/providers/krb5/krb5_auth.h | 1 |
4 files changed, 17 insertions, 24 deletions
diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index eef9a260..8f64be48 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -100,7 +100,6 @@ #define CONFDB_KRB5_REALM "krb5_realm" #define CONFDB_KRB5_CCACHEDIR "krb5_ccachedir" #define CONFDB_KRB5_CCNAME_TMPL "krb5_ccname_template" -#define CONFDB_KRB5_TRY_SIMPLE_UPN "krb5_try_simple_upn" #define CONFDB_KRB5_CHANGEPW_PRINC "krb5_changepw_principle" #define CONFDB_KRB5_AUTH_TIMEOUT "krb5_auth_timeout" diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml index 4de89919..e90e6f47 100644 --- a/server/man/sssd-krb5.5.xml +++ b/server/man/sssd-krb5.5.xml @@ -32,6 +32,22 @@ <manvolnum>5</manvolnum> </citerefentry> manual page </para> + <para> + The Kerberos 5 authentication backend does not contain an identity + provider and must be paired with one in order to function properly (for + example, id_provider = ldap). Some information required by the Kerberos + 5 authentication backend must be provided by the identity provider, such + as the user's Kerberos Principal Name (UPN). The configuration of the + identity provider should have an entry to specify the UPN. Please refer + to the man page for the applicable identity provider for details on how + to configure this. + </para> + <para> + In the case where the UPN is not available in the identity backend + <command>sssd</command> will construct a UPN using the format + <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>. + </para> + </refsect1> <refsect1 id='file-format'> @@ -64,20 +80,6 @@ </varlistentry> <varlistentry> - <term>krb5_try_simple_upn (boolean)</term> - <listitem> - <para> - Set this option to 'true' - if an User Principle Name (UPN) cannot be found in sysdb - and you want to use an UPN like 'username@realm'. - </para> - <para> - Default: false - </para> - </listitem> - </varlistentry> - - <varlistentry> <term>krb5_changepw_principle (string)</term> <listitem> <para> diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 05f21be1..58f4edda 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -644,7 +644,7 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res) case 1: pd->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); - if (pd->upn == NULL && krb5_ctx->try_simple_upn) { + if (pd->upn == NULL) { /* NOTE: this is a hack, works only in some environments */ if (krb5_ctx->realm != NULL) { pd->upn = talloc_asprintf(be_req, "%s@%s", pd->user, @@ -865,7 +865,6 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, { struct krb5_ctx *ctx = NULL; char *value = NULL; - bool bool_value; int int_value; int ret; struct tevent_signal *sige; @@ -934,12 +933,6 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, } ctx->ccname_template = value; - ret = confdb_get_bool(bectx->cdb, ctx, bectx->conf_path, - CONFDB_KRB5_TRY_SIMPLE_UPN, false, - &bool_value); - if (ret != EOK) goto fail; - ctx->try_simple_upn = bool_value; - ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, CONFDB_KRB5_CHANGEPW_PRINC, "kadmin/changepw", diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index 9a7807e8..e70f5d3a 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -88,7 +88,6 @@ struct krb5_ctx { char *kdcip; char *realm; - bool try_simple_upn; char *changepw_principle; char *ccache_dir; char *ccname_template; |