diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-06-05 13:06:08 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-06 23:58:57 +0200 |
| commit | d153941864fe481399665be8fe583c9317194a99 (patch) | |
| tree | 72a552e9807ce15e3f52b3816636dcc514c34493 | |
| parent | 154e62fc712f4c994fbc684386302edca277a99a (diff) | |
| download | sssd-d153941864fe481399665be8fe583c9317194a99.tar.gz sssd-d153941864fe481399665be8fe583c9317194a99.tar.xz sssd-d153941864fe481399665be8fe583c9317194a99.zip | |
Always send the PAC to the PAC responder
Currently while doing a Kerberos based authentication the PAC was only
send to the PAC responder for principals from a different realm. This
reflects the FreeIPA use case of users from trusted domains.
This restriction does not make sense anymore when the data from the PAC
should be used for the AD provider as well. It also makes only limited
sense for the IPA use case, because when using GSSAPI the PAC of users
from the local IPA domain are already evaluated by the PAC responder.
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 38 |
1 files changed, 18 insertions, 20 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 4626f59ff..8f746a8db 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -987,27 +987,25 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder for principals which - * do not belong to our realm. Failures are not critical. */ - if (kr->upn_from_different_realm) { - kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, - kr->creds->client, keytab, &pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - goto done; - } + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, + kr->creds->client, keytab, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + goto done; + } - kerr = sss_send_pac(pac_authdata); - krb5_free_authdata(kr->ctx, pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - } + kerr = sss_send_pac(pac_authdata); + krb5_free_authdata(kr->ctx, pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; } done: |