diff options
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 515c181bc..e6b680eaf 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -646,14 +646,16 @@ static void krb5_find_ccache_step(struct tevent_req *req) } /* We need to keep the root privileges to read the keytab file if - * validation is enabled, otherwise we can drop them and run krb5_child - * with user privileges. + * validation or FAST is enabled, otherwise we can drop them and run + * krb5_child with user privileges. * If we are offline we want to create an empty ccache file. In this * case we can drop the privileges, too. */ - if (!dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || kr->is_offline) { - kr->run_as_user = true; - } else { + if ((dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || + kr->krb5_ctx->use_fast) && + !kr->is_offline) { kr->run_as_user = false; + } else { + kr->run_as_user = true; } subreq = handle_child_send(state, state->ev, kr); |