summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5/krb5_auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r--src/providers/krb5/krb5_auth.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 515c181bc..e6b680eaf 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -646,14 +646,16 @@ static void krb5_find_ccache_step(struct tevent_req *req)
}
/* We need to keep the root privileges to read the keytab file if
- * validation is enabled, otherwise we can drop them and run krb5_child
- * with user privileges.
+ * validation or FAST is enabled, otherwise we can drop them and run
+ * krb5_child with user privileges.
* If we are offline we want to create an empty ccache file. In this
* case we can drop the privileges, too. */
- if (!dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || kr->is_offline) {
- kr->run_as_user = true;
- } else {
+ if ((dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ||
+ kr->krb5_ctx->use_fast) &&
+ !kr->is_offline) {
kr->run_as_user = false;
+ } else {
+ kr->run_as_user = true;
}
subreq = handle_child_send(state, state->ev, kr);
generated by cgit (git 2.34.1) at 2024-05-10 03:17:46 +0000