4 files changed, 36 insertions, 18 deletions

diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index e60e6e0e..9db14b8a 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
         return;
     }
 
-    safe_address = talloc_asprintf_append(safe_address, ":%d",
-                                          fo_get_server_port(server));
-    if (safe_address == NULL) {
-        DEBUG(1, ("talloc_asprintf_append failed.\n"));
-        talloc_free(tmp_ctx);
-        return;
-    }
+    if (krb5_service->write_kdcinfo) {
+        safe_address = talloc_asprintf_append(safe_address, ":%d",
+                                            fo_get_server_port(server));
+        if (safe_address == NULL) {
+            DEBUG(1, ("talloc_asprintf_append failed.\n"));
+            talloc_free(tmp_ctx);
+            return;
+        }
 
-    ret = write_krb5info_file(krb5_service->realm, safe_address,
-                              krb5_service->name);
-    if (ret != EOK) {
-        DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+        ret = write_krb5info_file(krb5_service->realm, safe_address,
+                                  krb5_service->name);
+        if (ret != EOK) {
+            DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+        }
     }
 
     talloc_free(tmp_ctx);
@@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
                       const char *service_name,
                       const char *primary_servers,
                       const char *backup_servers,
-                      const char *realm, struct krb5_service **_service)
+                      const char *realm,
+                      bool use_kdcinfo,
+                      struct krb5_service **_service)
 {
     TALLOC_CTX *tmp_ctx;
     struct krb5_service *service;
@@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
         goto done;
     }
 
+    service->write_kdcinfo = use_kdcinfo;
+
     if (!primary_servers) {
         DEBUG(SSSDBG_CONF_SETTINGS,
               ("No primary servers defined, using service discovery\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 85049360..eb563888 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -66,6 +66,7 @@ enum krb5_opts {
     KRB5_FAST_PRINCIPAL,
     KRB5_CANONICALIZE,
     KRB5_USE_ENTERPRISE_PRINCIPAL,
+    KRB5_USE_KDCINFO,
 
     KRB5_OPTS
 };
@@ -82,6 +83,7 @@ struct tgt_times {
 struct krb5_service {
     char *name;
     char *realm;
+    bool write_kdcinfo;
 };
 
 struct fo_service;
@@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
                       const char *service_name,
                       const char *primary_servers,
                       const char *backup_servers,
-                      const char *realm, struct krb5_service **_service);
+                      const char *realm,
+                      bool use_kdcinfo,
+                      struct krb5_service **_service);
 
 void remove_krb5_info_files_callback(void *pvt);
 
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 1821d5b3..c6ec496e 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
         return EINVAL;
     }
 
-    ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
-                            krb5_backup_servers, krb5_realm, &ctx->service);
+    ret = krb5_service_init(ctx, bectx,
+                            SSS_KRB5KDC_FO_SRV, krb5_servers,
+                            krb5_backup_servers, krb5_realm,
+                            dp_opt_get_bool(krb5_options->opts,
+                                            KRB5_USE_KDCINFO),
+                            &ctx->service);
     if (ret != EOK) {
         DEBUG(0, ("Failed to init KRB5 failover service!\n"));
         return ret;
@@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
                   "will use KDC for pasword change operations!\n"));
         ctx->kpasswd_service = NULL;
     } else {
-        ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV,
-                            krb5_kpasswd_servers, krb5_backup_kpasswd_servers,
-                            krb5_realm, &ctx->kpasswd_service);
+        ret = krb5_service_init(ctx, bectx,
+                                SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
+                                krb5_backup_kpasswd_servers, krb5_realm,
+                                dp_opt_get_bool(krb5_options->opts,
+                                                KRB5_USE_KDCINFO),
+                                &ctx->kpasswd_service);
         if (ret != EOK) {
             DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n"));
             return ret;
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index c8e64782..400b7e33 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = {
     { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     DP_OPTION_TERMINATOR
 };