diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-07 11:28:35 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-10 21:03:01 +0200 |
| commit | 14452cd066b51e32ca0ebad6c45ae909a1debe57 (patch) | |
| tree | 5c89a40d71008b0b2853b831d937a995e4a424ef /src/providers/krb5 | |
| parent | 7b5e7e539ae9312ab55d75aa94feaad549b2a708 (diff) | |
| download | sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.gz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.tar.xz sssd-14452cd066b51e32ca0ebad6c45ae909a1debe57.zip | |
A new option krb5_use_kdcinfo
https://fedorahosted.org/sssd/ticket/1883
The patch introduces a new Kerberos provider option called
krb5_use_kdcinfo. The option is true by default in all providers. When
set to false, the SSSD will not create krb5 info files that the locator
plugin consumes and the user would have to set up the Kerberos options
manually in krb5.conf
Diffstat (limited to 'src/providers/krb5')
| -rw-r--r-- | src/providers/krb5/krb5_common.c | 30 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 6 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_init.c | 17 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_opts.h | 1 |
4 files changed, 36 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index e60e6e0ef..9db14b8a6 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) return; } - safe_address = talloc_asprintf_append(safe_address, ":%d", - fo_get_server_port(server)); - if (safe_address == NULL) { - DEBUG(1, ("talloc_asprintf_append failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (krb5_service->write_kdcinfo) { + safe_address = talloc_asprintf_append(safe_address, ":%d", + fo_get_server_port(server)); + if (safe_address == NULL) { + DEBUG(1, ("talloc_asprintf_append failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(krb5_service->realm, safe_address, - krb5_service->name); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(krb5_service->realm, safe_address, + krb5_service->name); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); @@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service) + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service) { TALLOC_CTX *tmp_ctx; struct krb5_service *service; @@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, goto done; } + service->write_kdcinfo = use_kdcinfo; + if (!primary_servers) { DEBUG(SSSDBG_CONF_SETTINGS, ("No primary servers defined, using service discovery\n")); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 85049360d..eb563888c 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -66,6 +66,7 @@ enum krb5_opts { KRB5_FAST_PRINCIPAL, KRB5_CANONICALIZE, KRB5_USE_ENTERPRISE_PRINCIPAL, + KRB5_USE_KDCINFO, KRB5_OPTS }; @@ -82,6 +83,7 @@ struct tgt_times { struct krb5_service { char *name; char *realm; + bool write_kdcinfo; }; struct fo_service; @@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service); + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service); void remove_krb5_info_files_callback(void *pvt); diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 1821d5b34..c6ec496e5 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, return EINVAL; } - ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, - krb5_backup_servers, krb5_realm, &ctx->service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); return ret; @@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, "will use KDC for pasword change operations!\n")); ctx->kpasswd_service = NULL; } else { - ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, - krb5_kpasswd_servers, krb5_backup_kpasswd_servers, - krb5_realm, &ctx->kpasswd_service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers, + krb5_backup_kpasswd_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->kpasswd_service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n")); return ret; diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h index c8e64782e..400b7e338 100644 --- a/src/providers/krb5/krb5_opts.h +++ b/src/providers/krb5/krb5_opts.h @@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; |