diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-06-24 20:59:53 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-25 14:34:39 +0200 |
| commit | fa4a9c4afcc0c62a693034e21f33356e64735687 (patch) | |
| tree | 5f396acead970d06e8ebdd9da7d3397238736072 /src/providers/krb5/krb5_child.c | |
| parent | 48a53690ae35ef7e5690eb216c8e33140070f984 (diff) | |
| download | sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.gz sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.tar.xz sssd-fa4a9c4afcc0c62a693034e21f33356e64735687.zip | |
krb5: do not send pac for IPA users from the local domain
So far we didn't send the PAC of IPA users to the PAC responder during
password authentication because group memberships for IPA users can be
retrieved efficiently with LDAP calls. Recently patches added PAC
support for the AD provider as well and removed the restriction for the
IPA users. This patch restores the original behaviour by introducing a
new flag in struct krb5_ctx which is only set for the IPA provider.
Additionally a different flag is renamed to make it's purpose more
clear.
Fixes https://fedorahosted.org/sssd/ticket/1995
Diffstat (limited to 'src/providers/krb5/krb5_child.c')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index cba72502d..130be96bb 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -53,7 +53,7 @@ struct krb5_req { char *ccname; char *keytab; bool validate; - bool upn_from_different_realm; + bool send_pac; bool use_enterprise_princ; char *fast_ccname; @@ -987,9 +987,9 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder for principals which - * do not belong to our realm. Failures are not critical. */ - if (kr->upn_from_different_realm) { + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + if (kr->send_pac) { kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, kr->creds->client, keytab, &pac_authdata); if (kerr != 0) { @@ -1551,7 +1551,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, size_t p = 0; uint32_t len; uint32_t validate; - uint32_t different_realm; + uint32_t send_pac; uint32_t use_enterprise_princ; struct pam_data *pd; errno_t ret; @@ -1573,8 +1573,8 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p); kr->validate = (validate == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p); - SAFEALIGN_COPY_UINT32_CHECK(&different_realm, buf + p, size, &p); - kr->upn_from_different_realm = (different_realm == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p); + kr->send_pac = (send_pac == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p); kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true; SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); |