Modify principal selection for keytab authentication

Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.

The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).

The patch adds new configuration option SDAP_SASL_REALM.

https://fedorahosted.org/sssd/ticket/781

1 files changed, 8 insertions, 0 deletions

diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index f25f3285b..d17bfe969 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -64,6 +64,14 @@ krb5_error_code find_principal_in_keytab(krb5_context ctx,
                                          const char *pattern_realm,
                                          krb5_principal *princ);
 
+errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+                                     const char *hostname,
+                                     const char *desired_realm,
+                                     const char *keytab_name,
+                                     char **_principal,
+                                     char **_primary,
+                                     char **_realm);
+
 #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_EXPIRE_CALLBACK
 typedef void krb5_expire_callback_func(krb5_context context, void *data,
                                              krb5_timestamp password_expiration,