diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-19 08:36:28 +0300 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-23 14:18:03 +0200 |
| commit | 48657b5de36a63b0c13ed5d53065871d59d8f10b (patch) | |
| tree | 61403ad977c2a0f73e1a776170fce867468a142d /src | |
| parent | 1b3144586978c47506eaa39db505e6231e3b0c0a (diff) | |
| download | sssd-48657b5de36a63b0c13ed5d53065871d59d8f10b.tar.gz sssd-48657b5de36a63b0c13ed5d53065871d59d8f10b.tar.xz sssd-48657b5de36a63b0c13ed5d53065871d59d8f10b.zip | |
KRB5: Do not send PAC in server mode
The krb5 child contacts the PAC responder for any user except for the
IPA native users if the PAC is configured. This works fine for the
general case but the ipa_server_mode is a special one. The PAC responder
is there, but since in the server mode we should be operating as AD
provider default, the PAC shouldn't be analyzed either in this case.
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ad/ad_init.c | 1 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_init.c | 8 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 16 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 8 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_init.c | 1 |
5 files changed, 27 insertions, 7 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index c5d3fac23..392307678 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -254,6 +254,7 @@ sssm_ad_auth_init(struct be_ctx *bectx, goto done; } + krb5_auth_ctx->config_type = K5C_GENERIC; krb5_auth_ctx->service = ad_options->service->krb5_service; ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx, diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index fe13b1872..407ab1669 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,7 +300,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; - krb5_auth_ctx->is_ipa = true; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == true) { + krb5_auth_ctx->config_type = K5C_IPA_SERVER; + } else { + krb5_auth_ctx->config_type = K5C_IPA_CLIENT; + } ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 044c27195..8117d1e5d 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -142,11 +142,17 @@ static errno_t create_send_buffer(struct krb5child_req *kr, validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; - /* Always send PAC except for local IPA users */ - if (kr->krb5_ctx->is_ipa) { - send_pac = kr->upn_from_different_realm ? 1 : 0; - } else { - send_pac = 1; + /* Always send PAC except for local IPA users and IPA server mode */ + switch (kr->krb5_ctx->config_type) { + case K5C_IPA_CLIENT: + send_pac = kr->upn_from_different_realm ? 1 : 0; + break; + case K5C_IPA_SERVER: + send_pac = 0; + break; + default: + send_pac = 1; + break; } if (kr->pd->cmd == SSS_CMD_RENEW) { diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 27089ab96..e56bd496e 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -91,6 +91,12 @@ struct deferred_auth_ctx; struct renew_tgt_ctx; struct sss_krb5_cc_be; +enum krb5_config_type { + K5C_GENERIC, + K5C_IPA_CLIENT, + K5C_IPA_SERVER +}; + struct krb5_ctx { /* opts taken from kinit */ /* in seconds */ @@ -130,7 +136,7 @@ struct krb5_ctx { hash_table_t *wait_queue_hash; - bool is_ipa; + enum krb5_config_type config_type; }; struct remove_info_files_ctx { diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index c6ec496e5..91f701a18 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -98,6 +98,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, ctx->action = INIT_PW; ctx->opts = krb5_options->opts; + ctx->config_type = K5C_GENERIC; krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC); |