From fa4a9c4afcc0c62a693034e21f33356e64735687 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 Jun 2013 20:59:53 +0200 Subject: krb5: do not send pac for IPA users from the local domain So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995 --- src/providers/krb5/krb5_auth.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/providers/krb5/krb5_auth.h') diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index cf290ca0..d31925da 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -55,6 +55,7 @@ struct krb5child_req { bool valid_tgt; bool run_as_user; bool upn_from_different_realm; + bool send_pac; }; errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd, -- cgit