3 files changed, 17 insertions, 4 deletions

diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 337fcf55..51bd2677 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -49,6 +49,7 @@
 
 enum krb5_opts {
     KRB5_KDC = 0,
+    KRB5_BACKUP_KDC,
     KRB5_REALM,
     KRB5_CCACHEDIR,
     KRB5_CCNAME_TMPL,
@@ -56,6 +57,7 @@ enum krb5_opts {
     KRB5_KEYTAB,
     KRB5_VALIDATE,
     KRB5_KPASSWD,
+    KRB5_BACKUP_KPASSWD,
     KRB5_STORE_PASSWORD_IF_OFFLINE,
     KRB5_RENEWABLE_LIFETIME,
     KRB5_LIFETIME,
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index 60c18a8f..a7b06fdf 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -61,7 +61,9 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
     struct krb5_ctx *ctx = NULL;
     int ret;
     const char *krb5_servers;
+    const char *krb5_backup_servers;
     const char *krb5_kpasswd_servers;
+    const char *krb5_backup_kpasswd_servers;
     const char *krb5_realm;
     const char *errstr;
     int errval;
@@ -98,9 +100,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
     ctx->opts = krb5_options->opts;
 
     krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
-    if (krb5_servers == NULL) {
-        DEBUG(SSSDBG_CONF_SETTINGS, ("Missing krb5_server option, using service discovery!\n"));
-    }
+    krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
 
     krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
     if (krb5_realm == NULL) {
@@ -109,13 +109,22 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
     }
 
     ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers,
-                            NULL, krb5_realm, &ctx->service);
+                            krb5_backup_servers, krb5_realm, &ctx->service);
     if (ret != EOK) {
         DEBUG(0, ("Failed to init KRB5 failover service!\n"));
         return ret;
     }
 
     krb5_kpasswd_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD);
+    krb5_backup_kpasswd_servers = dp_opt_get_string(ctx->opts,
+                                                       KRB5_BACKUP_KPASSWD);
+    if (krb5_kpasswd_servers == NULL && krb5_backup_kpasswd_servers != NULL) {
+        DEBUG(SSSDBG_CONF_SETTINGS, ("kpasswd server wasn't specified but "
+                                     "backup kpasswd given. Using it as primary\n"));
+        krb5_kpasswd_servers = krb5_backup_kpasswd_servers;
+        krb5_backup_kpasswd_servers = NULL;
+    }
+
     if (krb5_kpasswd_servers == NULL && krb5_servers != NULL) {
         DEBUG(0, ("Missing krb5_kpasswd option and KDC set explicitly, "
                   "will use KDC for pasword change operations!\n"));
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index 9de93b0c..dc9b1764 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -27,6 +27,7 @@
 
 struct dp_option default_krb5_opts[] = {
     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { DEFAULT_CCNAME_TEMPLATE }, NULL_STRING},
@@ -34,6 +35,7 @@ struct dp_option default_krb5_opts[] = {
     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },