Allow the realm to be included in the name passed to add_service_principal()

This is more kerberos-like and it doesn't hurt anything, we just won't
allow realms other than our own to be used.

437566

1 files changed, 6 insertions, 3 deletions

diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index cb2823402..43bcf9869 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1820,9 +1820,12 @@ class IPAServer:
 
         # Don't let the user set the realm
         if name.find('@') > 0:
-            raise ipaerror.gen_exception(ipaerror.INPUT_INVALID_PARAMETER)
-
-        princ_name = name + "@" + self.realm
+            r = name[name.find('@')+1:]
+            if (r != self.realm):
+                raise ipaerror.gen_exception(ipaerror.INPUT_REALM_MISMATCH)
+            princ_name = name
+        else:
+            princ_name = name + "@" + self.realm
         
         conn = self.getConnection(opts)
         if not self.__is_service_unique(name, opts):