From 695cc8754aecb3dcc3a617d86b7d4b6470af175d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 Jun 2013 21:39:36 +0200 Subject: krb5: do not use enterprise principals for renewals When renewing a ticket we already know the canonical principal hence it is not needed to expand it to an enterprise principal but we can contact the KDC of the corresponding realm directly. --- src/providers/krb5/krb5_child_handler.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 161fa269a..1da7e4f42 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -148,8 +148,13 @@ static errno_t create_send_buffer(struct krb5child_req *kr, } else { send_pac = 1; } - use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, + + if (kr->pd->cmd == SSS_CMD_RENEW) { + use_enterprise_principal = false; + } else { + use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; + } buf = talloc(kr, struct io_buffer); if (buf == NULL) { -- cgit