diff options
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ad/ad_init.c | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_init.c | 8 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 16 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 8 | ||||
-rw-r--r-- | src/providers/krb5/krb5_init.c | 1 |
5 files changed, 27 insertions, 7 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index c5d3fac2..39230767 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -254,6 +254,7 @@ sssm_ad_auth_init(struct be_ctx *bectx, goto done; } + krb5_auth_ctx->config_type = K5C_GENERIC; krb5_auth_ctx->service = ad_options->service->krb5_service; ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx, diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index fe13b187..407ab166 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,7 +300,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; - krb5_auth_ctx->is_ipa = true; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == true) { + krb5_auth_ctx->config_type = K5C_IPA_SERVER; + } else { + krb5_auth_ctx->config_type = K5C_IPA_CLIENT; + } ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 044c2719..8117d1e5 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -142,11 +142,17 @@ static errno_t create_send_buffer(struct krb5child_req *kr, validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; - /* Always send PAC except for local IPA users */ - if (kr->krb5_ctx->is_ipa) { - send_pac = kr->upn_from_different_realm ? 1 : 0; - } else { - send_pac = 1; + /* Always send PAC except for local IPA users and IPA server mode */ + switch (kr->krb5_ctx->config_type) { + case K5C_IPA_CLIENT: + send_pac = kr->upn_from_different_realm ? 1 : 0; + break; + case K5C_IPA_SERVER: + send_pac = 0; + break; + default: + send_pac = 1; + break; } if (kr->pd->cmd == SSS_CMD_RENEW) { diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 27089ab9..e56bd496 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -91,6 +91,12 @@ struct deferred_auth_ctx; struct renew_tgt_ctx; struct sss_krb5_cc_be; +enum krb5_config_type { + K5C_GENERIC, + K5C_IPA_CLIENT, + K5C_IPA_SERVER +}; + struct krb5_ctx { /* opts taken from kinit */ /* in seconds */ @@ -130,7 +136,7 @@ struct krb5_ctx { hash_table_t *wait_queue_hash; - bool is_ipa; + enum krb5_config_type config_type; }; struct remove_info_files_ctx { diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index c6ec496e..91f701a1 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -98,6 +98,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, ctx->action = INIT_PW; ctx->opts = krb5_options->opts; + ctx->config_type = K5C_GENERIC; krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC); |