summaryrefslogtreecommitdiff
path: root/src/providers/ad
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ad')
-rw-r--r--src/providers/ad/ad_common.c39
-rw-r--r--src/providers/ad/ad_opts.h2
2 files changed, 27 insertions, 14 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index ea124d96..1aad85de 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
goto done;
}
- /* Write krb5 info files */
- safe_address = sss_escape_ip_address(tmp_ctx,
- srvaddr->family,
- address);
- if (safe_address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
- ret = ENOMEM;
- goto done;
- }
+ if (service->krb5_service->write_kdcinfo) {
+ /* Write krb5 info files */
+ safe_address = sss_escape_ip_address(tmp_ctx,
+ srvaddr->family,
+ address);
+ if (safe_address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
- ret = write_krb5info_file(service->krb5_service->realm, safe_address,
- SSS_KRB5KDC_FO_SRV);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("write_krb5info_file failed, authentication might fail.\n"));
+ ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+ SSS_KRB5KDC_FO_SRV);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("write_krb5info_file failed, authentication might fail.\n"));
+ }
}
ret = EOK;
@@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
krb5_options[KRB5_REALM].opt_name,
krb5_realm));
+ /* Set flag that controls whether we want to write the
+ * kdcinfo files at all
+ */
+ ad_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+ ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
*_opts = talloc_steal(mem_ctx, krb5_options);
ret = EOK;
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 218614dc..ba03c232 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING },
{ "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE },
{ "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
@@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+ { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
DP_OPTION_TERMINATOR
};
generated by cgit (git 2.34.1) at 2025-02-18 00:40:27 +0000