Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip.

For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.

Fixes: #543

12 files changed, 79 insertions, 10 deletions

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 22013eebb..f4734b8c3 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -93,6 +93,7 @@ option_strings = {
 
     # [provider/krb5]
     'krb5_kdcip' : _('Kerberos server address'),
+    'krb5_server' : _('Kerberos server address'),
     'krb5_realm' : _('Kerberos realm'),
     'krb5_auth_timeout' : _('Authentication timeout'),
 
@@ -122,6 +123,7 @@ option_strings = {
     'ldap_sasl_mech' : _('Specify the sasl mechanism to use'),
     'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
     'krb5_kdcip' : _('Kerberos server address'),
+    'krb5_server' : _('Kerberos server address'),
     'krb5_realm' : _('Kerberos realm'),
     'ldap_krb5_keytab' : _('Kerberos service keytab'),
     'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index f0cfac8b8..39db49dc3 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -541,7 +541,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
 
         backup_list = control_list[:]
         control_list.extend(
-            ['krb5_kdcip',
+            ['krb5_server',
              'krb5_realm',
              'krb5_kpasswd',
              'krb5_ccachedir',
@@ -562,6 +562,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
                             "Option [%s] missing" %
                             option)
 
+        control_list.extend(['krb5_kdcip'])
+
         # Ensure that there aren't any unexpected options listed
         for option in options.keys():
             self.assertTrue(option in control_list,
@@ -712,6 +714,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
         # Test looking up a specific provider type
         options = domain.list_provider_options('krb5', 'auth')
         control_list = [
+            'krb5_server',
             'krb5_kdcip',
             'krb5_realm',
             'krb5_kpasswd',
@@ -859,7 +862,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
 
         backup_list = control_list[:]
         control_list.extend(
-            ['krb5_kdcip',
+            ['krb5_server',
+             'krb5_kdcip',
              'krb5_realm',
              'krb5_kpasswd',
              'krb5_ccachedir',
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index b559b78dc..001d4fce2 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -19,6 +19,7 @@ ldap_tls_reqcert = str, None, false
 ldap_sasl_mech = str, None, false
 ldap_sasl_authid = str, None, false
 krb5_kdcip = str, None, false
+krb5_server = str, None, false
 krb5_realm = str, None, false
 krb5_auth_timeout = int, None, false
 krb5_kpasswd = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 76ef8b5b4..0c0aa4261 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -1,5 +1,6 @@
 [provider/krb5]
 krb5_kdcip = str, None, false
+krb5_server = str, None, false
 krb5_realm = str, None, true
 krb5_auth_timeout = int, None, false
 krb5_kpasswd = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 75eba5866..1f5d7ab2a 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -14,6 +14,7 @@ ldap_tls_reqcert = str, None, false
 ldap_sasl_mech = str, None, false
 ldap_sasl_authid = str, None, false
 krb5_kdcip = str, None, false
+krb5_server = str, None, false
 krb5_realm = str, None, false
 ldap_krb5_keytab = str, None, false
 ldap_krb5_init_creds = bool, None, false
diff --git a/src/config/sssd_upgrade_config.py b/src/config/sssd_upgrade_config.py
index 62ffe5273..e05226e83 100644
--- a/src/config/sssd_upgrade_config.py
+++ b/src/config/sssd_upgrade_config.py
@@ -77,7 +77,7 @@ class SSSDConfigFile(SSSDChangeConf):
 
         auth_provider = self.findOpts(domain['value'], 'option', 'auth_provider')[1]
         if auth_provider and auth_provider['value'] == 'krb5':
-            server = self.findOpts(domain['value'], 'option', 'krb5_kdcip')[1]
+            server = self.findOpts(domain['value'], 'option', 'krb5_server')[1]
             if not server or "__srv__" in server['value']:
                 domain['value'].insert(0, dns_domain_name)
 
@@ -201,7 +201,7 @@ class SSSDConfigFile(SSSDChangeConf):
                     'ldap_netgroup_uuid' : 'netgroupUUID',
                     'ldap_netgroup_modify_timestamp' : 'netgroupModifyTimestamp',
                    }
-        krb5_kw = { 'krb5_kdcip' : 'krb5KDCIP',
+        krb5_kw = { 'krb5_server' : 'krb5KDCIP',
                     'krb5_realm'  : 'krb5REALM',
                     'krb5_try_simple_upn' : 'krb5try_simple_upn',
                     'krb5_changepw_principal' : 'krb5changepw_principle',
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index dbe96a1db..e9c2cac3c 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -63,7 +63,7 @@
             for details on the configuration of a SSSD domain.
             <variablelist>
                 <varlistentry>
-                    <term>krb5_kdcip (string)</term>
+                    <term>krb5_server (string)</term>
                     <listitem>
                         <para>
                             Specifies the list of IP addresses or hostnames
@@ -77,6 +77,12 @@
                             for more information, refer to the
                             <quote>SERVICE DISCOVERY</quote> section.
                         </para>
+                        <para>
+                            This option was named <quote>krb5_kdcip</quote> in
+                            earlier releases of SSSD. While the legacy name is recognized
+                            for the time being, users are advised to migrate their config
+                            files to use <quote>krb5_server</quote> instead.
+                        </para>
                     </listitem>
                 </varlistentry>
 
@@ -270,7 +276,7 @@
 <programlisting>
     [domain/FOO]
     auth_provider = krb5
-    krb5_kdcip = 192.168.1.1
+    krb5_server = 192.168.1.1
     krb5_realm = EXAMPLE.COM
 </programlisting>
         </para>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d00de05c1..60ba169bd 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -917,7 +917,7 @@ ldap_uri = ldap://ldap.example.com
 ldap_search_base = dc=example,dc=com
 
 auth_provider = krb5
-krb5_kdcip = kerberos.example.com
+krb5_server = kerberos.example.com
 krb5_realm = EXAMPLE.COM
 cache_credentials = true
 
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 95d99de84..758bf9de9 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -129,7 +129,7 @@ struct sdap_attr_map ipa_netgroup_map[] = {
 };
 
 struct dp_option ipa_def_krb5_opts[] = {
-    { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
@@ -437,6 +437,14 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
         goto done;
     }
 
+    /* If there is no KDC, try the deprecated krb5_kdcip option, too */
+    /* FIXME - this can be removed in a future version */
+    ret = krb5_try_kdcip(ipa_opts, cdb, conf_path, ipa_opts->auth);
+    if (ret != EOK) {
+        DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
+        goto done;
+    }
+
     /* set krb realm */
     if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) {
         value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 3863acd9c..81ad4e9d4 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -32,7 +32,7 @@
 #include "providers/krb5/krb5_common.h"
 
 struct dp_option default_krb5_opts[] = {
-    { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
@@ -91,6 +91,41 @@ errno_t check_and_export_options(struct dp_option *opts,
     return EOK;
 }
 
+errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
+                              const char *conf_path, struct dp_option *opts)
+{
+    char *krb5_servers = NULL;
+    errno_t ret;
+
+    krb5_servers = dp_opt_get_string(opts, KRB5_KDC);
+    if (krb5_servers == NULL) {
+        DEBUG(4, ("No KDC found in configuration, trying legacy option\n"));
+        ret = confdb_get_string(cdb, memctx, conf_path,
+                                "krb5_kdcip", NULL, &krb5_servers);
+        if (ret != EOK) {
+            DEBUG(1, ("confdb_get_string failed.\n"));
+            return ret;
+        }
+
+        if (krb5_servers != NULL)
+        {
+            ret = dp_opt_set_string(opts, KRB5_KDC, krb5_servers);
+            if (ret != EOK) {
+                DEBUG(1, ("dp_opt_set_string failed.\n"));
+                talloc_free(krb5_servers);
+                return ret;
+            }
+
+            DEBUG(9, ("Set krb5 server [%s] based on legacy krb5_kdcip option\n"));
+            DEBUG(0, ("Your configuration uses the deprecated option 'krb5_kdcip' "
+                      "to specify the KDC. Please change the configuration to use "
+                      "the 'krb5_server' option instead."));
+        }
+    }
+
+    return EOK;
+}
+
 errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
                          const char *conf_path, struct dp_option **_opts)
 {
@@ -110,6 +145,14 @@ errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
         goto done;
     }
 
+    /* If there is no KDC, try the deprecated krb5_kdcip option, too */
+    /* FIXME - this can be removed in a future version */
+    ret = krb5_try_kdcip(memctx, cdb, conf_path, opts);
+    if (ret != EOK) {
+        DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
+        goto done;
+    }
+
     *_opts = opts;
     ret = EOK;
 
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 6398ea225..a8ebcf5c2 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -112,6 +112,9 @@ struct remove_info_files_ctx {
 errno_t check_and_export_options(struct dp_option *opts,
                                  struct sss_domain_info *dom);
 
+errno_t krb5_try_kdcip(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
+                       const char *conf_path, struct dp_option *opts);
+
 errno_t krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb,
                          const char *conf_path, struct dp_option **_opts);
 
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index c457dc55f..7facdce5e 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -88,7 +88,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
 
     krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
     if (krb5_servers == NULL) {
-        DEBUG(1, ("Missing krb5_kdcip option, using service discovery!\n"));
+        DEBUG(1, ("Missing krb5_server option, using service discovery!\n"));
     }
 
     krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);