A new option krb5_use_kdcinfo

https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
author: Jakub Hrozek <jhrozek@redhat.com> 2013-06-07 11:28:35 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-06-10 21:03:01 +0200
commit: 14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch)
tree: 5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/ipa/ipa_common.c
parent: 7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff)
download: sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.xz
sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip
1 files changed, 23 insertions, 12 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 76da6c1e1..671374098 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
                   dp_opt_get_string(ipa_opts->auth, KRB5_REALM)));
     }
 
+    /* Set flag that controls whether we want to write the
+     * kdcinfo files at all
+     */
+    ipa_opts->service->krb5_service->write_kdcinfo = \
+        dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
+    DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+          ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
+          ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
     *_opts = ipa_opts->auth;
     ret = EOK;
 
@@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
     talloc_zfree(service->sdap->sockaddr);
     service->sdap->sockaddr = talloc_steal(service, sockaddr);
 
-    safe_address = sss_escape_ip_address(tmp_ctx,
-                                         srvaddr->family,
-                                         address);
-    if (safe_address == NULL) {
-        DEBUG(1, ("sss_escape_ip_address failed.\n"));
-        talloc_free(tmp_ctx);
-        return;
-    }
+    if (service->krb5_service->write_kdcinfo) {
+        safe_address = sss_escape_ip_address(tmp_ctx,
+                                             srvaddr->family,
+                                             address);
+        if (safe_address == NULL) {
+            DEBUG(1, ("sss_escape_ip_address failed.\n"));
+            talloc_free(tmp_ctx);
+            return;
+        }
 
-    ret = write_krb5info_file(service->krb5_service->realm, safe_address,
-                              SSS_KRB5KDC_FO_SRV);
-    if (ret != EOK) {
-        DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+        ret = write_krb5info_file(service->krb5_service->realm, safe_address,
+                                  SSS_KRB5KDC_FO_SRV);
+        if (ret != EOK) {
+            DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n"));
+        }
     }
 
     talloc_free(tmp_ctx);
author	Jakub Hrozek <jhrozek@redhat.com>	2013-06-07 11:28:35 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-06-10 21:03:01 +0200
commit	14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch)
tree	5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/ipa/ipa_common.c
parent	7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff)
download	sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.xz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip