From fa4a9c4afcc0c62a693034e21f33356e64735687 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 Jun 2013 20:59:53 +0200 Subject: krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995 --- src/providers/ipa/ipa_init.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/providers/ipa') diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index ece62bb8..77a51433 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,6 +300,7 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; + krb5_auth_ctx->is_ipa = true; ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, -- cgit