From 99b2ad71169aa02846f7843d26cbe28e1e1c81fe Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 28 May 2013 18:32:32 +0200
Subject: Set canonicalize flag if enterprise principals are used

In contrast to MIT KDCs AD does not automatically canonicalize the
enterprise principal in an AS request but requires the canonicalize
flags to be set. To be on the safe side we always enable
canonicalization if enterprise principals are used.
---
 src/providers/krb5/krb5_common.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/providers/krb5/krb5_common.c')

diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c6865c09..940cc373 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts,
         }
     }
 
-    if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+    /* In contrast to MIT KDCs AD does not automatically canonicalize the
+     * enterprise principal in an AS request but requires the canonicalize
+     * flags to be set. To be on the safe side we always enable
+     * canonicalization if enterprise principals are used. */
+    if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)
+            || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) {
         ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
     } else {
         ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1);
-- 
cgit