From ba95f1c434b430f0db7fddbd865af10488ecab17 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 26 Jun 2013 16:23:32 +0200
Subject: AD: kinit with the local DC even when talking to a GC

We tried to use the GC address even for kinit which gave us errors like:
"Realm not local to KDC while getting initial credentials".

This patch adds a new AD_GC service that is only used for ID lookups,
any sort of Kerberos operations are done against the local servers.
---
 src/providers/ad/ad_common.c | 22 +++++++++++++++++++---
 src/providers/ad/ad_common.h |  3 ++-
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index d53acf9ee..b06691206 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -189,7 +189,7 @@ _ad_servers_init(TALLOC_CTX *mem_ctx,
             }
             sdata->gc = true;
 
-            ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "gc",
+            ret = be_fo_add_srv_server(bectx, AD_GC_SERVICE_NAME, "gc",
                                        ad_domain, BE_FO_PROTO_TCP,
                                        false, sdata);
             if (ret != EOK) {
@@ -339,7 +339,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
     }
 
     service->sdap->name = talloc_strdup(service->sdap, AD_SERVICE_NAME);
-    service->gc->name = talloc_strdup(service->gc, AD_SERVICE_NAME);
+    service->gc->name = talloc_strdup(service->gc, AD_GC_SERVICE_NAME);
     if (!service->sdap->name || !service->gc->name) {
         ret = ENOMEM;
         goto done;
@@ -357,6 +357,12 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
         goto done;
     }
 
+    ret = be_fo_add_service(bectx, AD_GC_SERVICE_NAME, ad_user_data_cmp);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to create GC failover service!\n"));
+        goto done;
+    }
+
     service->krb5_service->name = talloc_strdup(service->krb5_service,
                                                 AD_SERVICE_NAME);
     if (!service->krb5_service->name) {
@@ -413,6 +419,14 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
         goto done;
     }
 
+    ret = be_fo_service_add_callback(mem_ctx, bectx, AD_GC_SERVICE_NAME,
+                                     ad_resolve_callback, service);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Failed to add failover callback! [%s]\n", strerror(ret)));
+        goto done;
+    }
+
     *_service = talloc_steal(mem_ctx, service);
 
     ret = EOK;
@@ -531,7 +545,9 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
         goto done;
     }
 
-    if (service->krb5_service->write_kdcinfo) {
+    /* Only write kdcinfo files for local servers */
+    if ((sdata == NULL || sdata->gc == false) &&
+        service->krb5_service->write_kdcinfo) {
         /* Write krb5 info files */
         safe_address = sss_escape_ip_address(tmp_ctx,
                                             srvaddr->family,
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 1503059e8..500f49c78 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -26,7 +26,8 @@
 #include "util/util.h"
 #include "providers/ldap/ldap_common.h"
 
-#define AD_SERVICE_NAME "AD"
+#define AD_SERVICE_NAME    "AD"
+#define AD_GC_SERVICE_NAME "AD_GC"
 /* The port the Global Catalog runs on */
 #define AD_GC_PORT      3268
 
-- 
cgit