diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-02-12 09:59:00 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-08 10:46:00 +0100 |
| commit | 15cc21cce9d4bf7e44e1fb772afa5bb731a84227 (patch) | |
| tree | ca89a3fa99bf7305aa01ebc73447b7eb1d6c678b /daemons/ipa-kdb | |
| parent | f6f8307be282e96df4fa4f35e83f1ff17403cf86 (diff) | |
| download | freeipa-15cc21cce9d4bf7e44e1fb772afa5bb731a84227.tar.gz freeipa-15cc21cce9d4bf7e44e1fb772afa5bb731a84227.tar.xz freeipa-15cc21cce9d4bf7e44e1fb772afa5bb731a84227.zip | |
Revert "MS-PAC: Special case NFS services"
This reverts commit 5269458f552380759c86018cd1f30b64761be92e.
With the implementation of https://fedorahosted.org/freeipa/ticket/2960
a special hardcoded handling of NFS service tickets is not needed
anymore.
Diffstat (limited to 'daemons/ipa-kdb')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 36 |
1 files changed, 1 insertions, 35 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 5071348d9..eafba9739 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -743,24 +743,6 @@ static bool is_cross_realm_krbtgt(krb5_const_principal princ) return true; } -static bool is_service_of_type(krb5_const_principal princ, const char *type) -{ - size_t len; - - if (princ->length < 2) { - return false; - } - - len = strlen(type); - - if ((princ->data[0].length == len) || - (strncasecmp(princ->data[0].data, type, len) == 0)) { - return true; - } - - return false; -} - static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid, uint32_t rid) { @@ -1555,7 +1537,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_error_code kerr; krb5_pac pac = NULL; krb5_data pac_data; - bool is_nfs = false; /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf @@ -1566,32 +1547,17 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, ks_client_princ = client->princ; } - /* NFS Server on Linux is limited and will choke on big tickets. - * So avoid attachnig the PAC to nfs/ tickets for now. - * FIXME: remove this when we have interface to support disabling - * PACs on arbitrary services */ - if (is_service_of_type(ks_client_princ, "nfs") || - is_service_of_type(server->princ, "nfs")) { - is_nfs = true; - } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { - if (is_nfs) { - *signed_auth_data = NULL; - kerr = 0; - goto done; - } - kerr = ipadb_get_pac(context, client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } } - if (!is_as_req & !is_nfs) { + if (!is_as_req) { /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data); |