AD/IPA: add krb5_confd_path configuration option

With this new parameter the directory where Kerberos configuration
snippets are created can be specified.

Fixes https://fedorahosted.org/sssd/ticket/2473

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

6 files changed, 20 insertions, 0 deletions

diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index df8dcffea..b39ade40c 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -60,6 +60,7 @@ enum ad_basic_opt {
     AD_GPO_MAP_PERMIT,
     AD_GPO_MAP_DENY,
     AD_GPO_DEFAULT_RIGHT,
+    AD_KRB5_CONFD_PATH,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index ac6006c92..c3de3d94b 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -48,6 +48,7 @@ struct dp_option ad_basic_opts[] = {
     { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bc5bc8914..3c61d1352 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -461,6 +461,14 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *ctx)
 {
     errno_t ret;
 
+    ret = sss_write_krb5_conf_snippet(
+                            dp_opt_get_string(ctx->ad_id_ctx->ad_options->basic,
+                                              AD_KRB5_CONFD_PATH));
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
+        /* Just continue */
+    }
+
     ret = sysdb_update_subdomains(ctx->be_ctx->domain);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 495276548..33085197c 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -54,6 +54,7 @@ enum ipa_basic_opt {
     IPA_ENABLE_DNS_SITES,
     IPA_SERVER_MODE,
     IPA_VIEWS_SEARCH_BASE,
+    IPA_KRB5_CONFD_PATH,
 
     IPA_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 59282e869..f77ff1d05 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -51,6 +51,7 @@ struct dp_option ipa_basic_opts[] = {
     { "ipa_enable_dns_sites", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ipa_server_mode", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ipa_views_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 9281aab1b..883558c4d 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -312,6 +312,14 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
 {
     errno_t ret;
 
+    ret = sss_write_krb5_conf_snippet(
+                              dp_opt_get_string(ctx->id_ctx->ipa_options->basic,
+                                                IPA_KRB5_CONFD_PATH));
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
+        /* Just continue */
+    }
+
     ret = sysdb_update_subdomains(ctx->be_ctx->domain);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n");