diff options
Diffstat (limited to 'src/providers')
| -rw-r--r-- | src/providers/ad/ad_common.c | 39 | ||||
| -rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 35 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.c | 30 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_common.h | 6 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_init.c | 17 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_opts.h | 1 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 8 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_opts.h | 1 | ||||
| -rw-r--r-- | src/providers/ldap/sdap.h | 1 |
11 files changed, 96 insertions, 46 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index ea124d96d..1aad85de3 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -531,21 +531,23 @@ ad_resolve_callback(void *private_data, struct fo_server *server) goto done; } - /* Write krb5 info files */ - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); - ret = ENOMEM; - goto done; - } + if (service->krb5_service->write_kdcinfo) { + /* Write krb5 info files */ + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("sss_escape_ip_address failed.\n")); + ret = ENOMEM; + goto done; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("write_krb5info_file failed, authentication might fail.\n")); + } } ret = EOK; @@ -846,6 +848,15 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, krb5_options[KRB5_REALM].opt_name, krb5_realm)); + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ad_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ad_opts->auth[KRB5_USE_KDCINFO].opt_name, + ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = talloc_steal(mem_ctx, krb5_options); ret = EOK; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 218614dca..ba03c2329 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -88,6 +88,7 @@ struct dp_option ad_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -145,6 +146,7 @@ struct dp_option ad_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 76da6c1e1..671374098 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -664,6 +664,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->auth, KRB5_REALM))); } + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ipa_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n", + ipa_opts->auth[KRB5_USE_KDCINFO].opt_name, + ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false")); + *_opts = ipa_opts->auth; ret = EOK; @@ -743,19 +752,21 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) talloc_zfree(service->sdap->sockaddr); service->sdap->sockaddr = talloc_steal(service, sockaddr); - safe_address = sss_escape_ip_address(tmp_ctx, - srvaddr->family, - address); - if (safe_address == NULL) { - DEBUG(1, ("sss_escape_ip_address failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (service->krb5_service->write_kdcinfo) { + safe_address = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_address == NULL) { + DEBUG(1, ("sss_escape_ip_address failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(service->krb5_service->realm, safe_address, - SSS_KRB5KDC_FO_SRV); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(service->krb5_service->realm, safe_address, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 4dfa72db4..fe81ed115 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -112,6 +112,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, @@ -274,6 +275,7 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index e60e6e0ef..9db14b8a6 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -452,18 +452,20 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) return; } - safe_address = talloc_asprintf_append(safe_address, ":%d", - fo_get_server_port(server)); - if (safe_address == NULL) { - DEBUG(1, ("talloc_asprintf_append failed.\n")); - talloc_free(tmp_ctx); - return; - } + if (krb5_service->write_kdcinfo) { + safe_address = talloc_asprintf_append(safe_address, ":%d", + fo_get_server_port(server)); + if (safe_address == NULL) { + DEBUG(1, ("talloc_asprintf_append failed.\n")); + talloc_free(tmp_ctx); + return; + } - ret = write_krb5info_file(krb5_service->realm, safe_address, - krb5_service->name); - if (ret != EOK) { - DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + ret = write_krb5info_file(krb5_service->realm, safe_address, + krb5_service->name); + if (ret != EOK) { + DEBUG(2, ("write_krb5info_file failed, authentication might fail.\n")); + } } talloc_free(tmp_ctx); @@ -620,7 +622,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service) + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service) { TALLOC_CTX *tmp_ctx; struct krb5_service *service; @@ -655,6 +659,8 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, goto done; } + service->write_kdcinfo = use_kdcinfo; + if (!primary_servers) { DEBUG(SSSDBG_CONF_SETTINGS, ("No primary servers defined, using service discovery\n")); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 85049360d..eb563888c 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -66,6 +66,7 @@ enum krb5_opts { KRB5_FAST_PRINCIPAL, KRB5_CANONICALIZE, KRB5_USE_ENTERPRISE_PRINCIPAL, + KRB5_USE_KDCINFO, KRB5_OPTS }; @@ -82,6 +83,7 @@ struct tgt_times { struct krb5_service { char *name; char *realm; + bool write_kdcinfo; }; struct fo_service; @@ -153,7 +155,9 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, const char *service_name, const char *primary_servers, const char *backup_servers, - const char *realm, struct krb5_service **_service); + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service); void remove_krb5_info_files_callback(void *pvt); diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c index 1821d5b34..c6ec496e5 100644 --- a/src/providers/krb5/krb5_init.c +++ b/src/providers/krb5/krb5_init.c @@ -108,8 +108,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, return EINVAL; } - ret = krb5_service_init(ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, - krb5_backup_servers, krb5_realm, &ctx->service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); return ret; @@ -130,9 +134,12 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, "will use KDC for pasword change operations!\n")); ctx->kpasswd_service = NULL; } else { - ret = krb5_service_init(ctx, bectx, SSS_KRB5KPASSWD_FO_SRV, - krb5_kpasswd_servers, krb5_backup_kpasswd_servers, - krb5_realm, &ctx->kpasswd_service); + ret = krb5_service_init(ctx, bectx, + SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers, + krb5_backup_kpasswd_servers, krb5_realm, + dp_opt_get_bool(krb5_options->opts, + KRB5_USE_KDCINFO), + &ctx->kpasswd_service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5KPASSWD failover service!\n")); return ret; diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h index c8e64782e..400b7e338 100644 --- a/src/providers/krb5/krb5_opts.h +++ b/src/providers/krb5/krb5_opts.h @@ -44,6 +44,7 @@ struct dp_option default_krb5_opts[] = { { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index fd6f05def..96edd3362 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -1269,8 +1269,12 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx, } } - ret = krb5_service_init(mem_ctx, bectx, SSS_KRB5KDC_FO_SRV, krb5_servers, - krb5_backup_servers, krb5_realm, &service); + ret = krb5_service_init(mem_ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(opts, + SDAP_KRB5_USE_KDCINFO), + &service); if (ret != EOK) { DEBUG(0, ("Failed to init KRB5 failover service!\n")); goto done; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 807716c18..6857d4ca8 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -79,6 +79,7 @@ struct dp_option default_basic_opts[] = { { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index f77636b3c..6f10efa4b 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -186,6 +186,7 @@ enum sdap_basic_opt { SDAP_KRB5_BACKUP_KDC, SDAP_KRB5_REALM, SDAP_KRB5_CANONICALIZE, + SDAP_KRB5_USE_KDCINFO, SDAP_PWD_POLICY, SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, |