summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_common.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c6865c09..940cc373 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts,
}
}
- if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+ /* In contrast to MIT KDCs AD does not automatically canonicalize the
+ * enterprise principal in an AS request but requires the canonicalize
+ * flags to be set. To be on the safe side we always enable
+ * canonicalization if enterprise principals are used. */
+ if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)
+ || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) {
ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
} else {
ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1);
generated by cgit (git 2.34.1) at 2024-11-29 21:52:04 +0000