diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2014-12-05 21:22:23 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-02-16 16:29:59 +0100 |
commit | 92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92 (patch) | |
tree | 891646959e9ba01e3f6cf1ff840eedf22b92992e /daemons/ipa-kdb/ipa_kdb_mspac.c | |
parent | 5247c0c4e2e2e02180e4cbf56aa68df57d1a8cf9 (diff) | |
download | freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.gz freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.tar.xz freeipa-92c3a9f1fd732a8e276bd3dd1420f5e2f6d0bf92.zip |
ipa-kdb: when processing transitions, hand over unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 0f47d1f4b..88c432116 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2685,7 +2685,8 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, } } - ret = KRB5KRB_AP_ERR_ILL_CR_TKT; + /* Tell to KDC that we don't handle this transition so that rules in krb5.conf could play its role */ + ret = KRB5_PLUGIN_NO_HANDLE; if (has_client_realm && has_transited_contents && has_server_realm) { ret = 0; } |