Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip.

For the time being, if krb5_server is not found, still falls back to
krb5_kdcip with a warning. If both options are present in config file,
krb5_server has a higher priority.

Fixes: #543

1 files changed, 9 insertions, 1 deletions

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 95d99de84..758bf9de9 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -129,7 +129,7 @@ struct sdap_attr_map ipa_netgroup_map[] = {
 };
 
 struct dp_option ipa_def_krb5_opts[] = {
-    { "krb5_kdcip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_ccachedir", DP_OPT_STRING, { "/tmp" }, NULL_STRING },
     { "krb5_ccname_template", DP_OPT_STRING, { "FILE:%d/krb5cc_%U_XXXXXX" }, NULL_STRING},
@@ -437,6 +437,14 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
         goto done;
     }
 
+    /* If there is no KDC, try the deprecated krb5_kdcip option, too */
+    /* FIXME - this can be removed in a future version */
+    ret = krb5_try_kdcip(ipa_opts, cdb, conf_path, ipa_opts->auth);
+    if (ret != EOK) {
+        DEBUG(1, ("sss_krb5_try_kdcip failed.\n"));
+        goto done;
+    }
+
     /* set krb realm */
     if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) {
         value = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN);