Add support for FAST in krb5 provider

1 files changed, 7 insertions, 5 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 515c181bc..e6b680eaf 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -646,14 +646,16 @@ static void krb5_find_ccache_step(struct tevent_req *req)
     }
 
     /* We need to keep the root privileges to read the keytab file if
-     * validation is enabled, otherwise we can drop them and run krb5_child
-     * with user privileges.
+     * validation or FAST is enabled, otherwise we can drop them and run
+     * krb5_child with user privileges.
      * If we are offline we want to create an empty ccache file. In this
      * case we can drop the privileges, too. */
-    if (!dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || kr->is_offline) {
-        kr->run_as_user = true;
-    } else {
+    if ((dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ||
+         kr->krb5_ctx->use_fast) &&
+        !kr->is_offline) {
         kr->run_as_user = false;
+    } else {
+        kr->run_as_user = true;
     }
 
     subreq = handle_child_send(state, state->ev, kr);