Fix kinit after password change

In an environment with slave KDCs and a central server where password
changes are allowed the request for a new TGT immediately after the
password change should be made against this server, because the slave
server might not know the new password.

To achieve this the Kerberos localtor plugin now returns the address of
the kpasswd server as master_kdc.

1 files changed, 6 insertions, 2 deletions

diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
index 626960a2e..153145bb1 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
@@ -289,7 +289,8 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
             return KRB5_PLUGIN_NO_HANDLE;
         }
 
-        if (svc == locate_service_kadmin || svc == locate_service_kpasswd) {
+        if (svc == locate_service_kadmin || svc == locate_service_kpasswd ||
+            svc == locate_service_master_kdc) {
             ret = get_krb5info(realm, ctx, locate_service_kpasswd);
             if (ret != EOK) {
                 PLUGIN_DEBUG(("reading kpasswd address failed, "
@@ -307,10 +308,13 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
 
     switch (svc) {
         case locate_service_kdc:
-        case locate_service_master_kdc:
             addr = ctx->kdc_addr;
             port = ctx->kdc_port ? ctx->kdc_port : DEFAULT_KERBEROS_PORT;
             break;
+        case locate_service_master_kdc:
+            addr = ctx->kpasswd_addr;
+            port = DEFAULT_KERBEROS_PORT;
+            break;
         case locate_service_kadmin:
             addr = ctx->kpasswd_addr;
             port = DEFAULT_KADMIN_PORT;