summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2011-10-19 03:27:47 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-11-02 14:10:30 -0400
commit7dfc7617085c403d30debe9f08d4c9bcca322744 (patch)
treefa23c5b6037c2178f48c938eae9d940f9d9d2646 /src/providers
parent20c187339201a95558a9b237af37b461665d9340 (diff)
downloadsssd-7dfc7617085c403d30debe9f08d4c9bcca322744.tar.gz
sssd-7dfc7617085c403d30debe9f08d4c9bcca322744.tar.xz
sssd-7dfc7617085c403d30debe9f08d4c9bcca322744.zip
Add support to request canonicalization on krb AS requests
https://fedorahosted.org/sssd/ticket/957
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h2
-rw-r--r--src/providers/krb5/krb5_child.c15
-rw-r--r--src/providers/krb5/krb5_common.c9
-rw-r--r--src/providers/krb5/krb5_common.h2
5 files changed, 28 insertions, 3 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 12c0bb678..b68c72b49 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -175,7 +175,8 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }
};
int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 575911504..20074b45b 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
/* the following define is used to keep track of the options in the krb5
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 14
+#define IPA_KRB5_OPTS_TEST 15
enum ipa_basic_opt {
IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index ec2251e43..fe8721094 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -586,6 +586,18 @@ done:
}
+static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts)
+{
+ int canonicalize = 0;
+ char *tmp_str;
+
+ tmp_str = getenv(SSSD_KRB5_CANONICALIZE);
+ if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
+ canonicalize = 1;
+ }
+ sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
+}
+
static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
krb5_principal princ,
krb5_keytab keytab,
@@ -601,6 +613,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
+ krb5_set_canonicalize(&options);
kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
&options);
@@ -1444,6 +1457,8 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
}
if (!offline) {
+ krb5_set_canonicalize(kr->options);
+
use_fast_str = getenv(SSSD_KRB5_USE_FAST);
if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) {
DEBUG(9, ("Not using FAST.\n"));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 4e792861b..4675e0a1f 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -45,7 +45,8 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+ { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
};
errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
@@ -169,6 +170,12 @@ errno_t check_and_export_options(struct dp_option *opts,
}
}
+ if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) {
+ setenv(SSSD_KRB5_CANONICALIZE, "true", 1);
+ } else {
+ setenv(SSSD_KRB5_CANONICALIZE, "false", 1);
+ }
+
dummy = dp_opt_get_cstring(opts, KRB5_KDC);
if (dummy == NULL) {
DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 670fd1a51..950505f12 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -39,6 +39,7 @@
#define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME"
#define SSSD_KRB5_USE_FAST "SSSD_KRB5_USE_FAST"
#define SSSD_KRB5_FAST_PRINCIPAL "SSSD_KRB5_FAST_PRINCIPAL"
+#define SSSD_KRB5_CANONICALIZE "SSSD_KRB5_CANONICALIZE"
#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -61,6 +62,7 @@ enum krb5_opts {
KRB5_RENEW_INTERVAL,
KRB5_USE_FAST,
KRB5_FAST_PRINCIPAL,
+ KRB5_CANONICALIZE,
KRB5_OPTS
};