From 6ef14c5c9e16c4a660b5029cd2b6220496a36407 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 19 Oct 2017 15:43:25 +0200
Subject: Revert "IPA: Only generate kdcinfo files on clients"

This reverts commit a309525cc47da726461aec1f238165c17aade2a6.

Even though original patch was correct it is better to revert it
becuse otherwise we hit a bug in MIT krb5 when fallback to admin_server
if kpasswd_server is not set does not work.
And it would take some time to propagate krb5 fix to downstream
distributions.

https://bugzilla.redhat.com/show_bug.cgi?id=1498347

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by:  Robbie Harwood <rharwood@redhat.com>
---
 src/providers/ipa/ipa_common.c |  9 +++++++++
 src/providers/ipa/ipa_init.c   | 18 ------------------
 2 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 9b4ad31d1..6bb1e679c 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -736,6 +736,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
               ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name, value);
     }
 
+    /* Set flag that controls whether we want to write the
+     * kdcinfo files at all
+     */
+    ipa_opts->service->krb5_service->write_kdcinfo = \
+        dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
+    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
+          ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
+          ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false");
+
     *_opts = ipa_opts->auth;
     ret = EOK;
 
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 46ff87f53..5b7c8e134 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -405,24 +405,6 @@ static errno_t ipa_init_krb5_auth_ctx(TALLOC_CTX *mem_ctx,
         return ret;
     }
 
-    /* On clients, set flag that controls whether we want to write the
-     * kdcinfo files at all. Never write kdcinfo files on servers as
-     * we always want to talk to 'self' anyway and we've had broken
-     * sssd configurations with _srv_ on the server which wwould point
-     * to other KDCs with PKINIT certs not trusted on this IDM server.
-     */
-    if (server_mode) {
-        DEBUG(SSSDBG_TRACE_FUNC,
-              "Disabling kdcinfo files on IDM server\n");
-        dp_opt_set_bool(ipa_options->auth, KRB5_USE_KDCINFO, false);
-    }
-
-    ipa_options->service->krb5_service->write_kdcinfo = \
-        dp_opt_get_bool(ipa_options->auth, KRB5_USE_KDCINFO);
-    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
-          ipa_options->auth[KRB5_USE_KDCINFO].opt_name,
-          ipa_options->service->krb5_service->write_kdcinfo ? "true" : "false");
-
     *_krb5_auth_ctx = krb5_auth_ctx;
     return EOK;
 }
-- 
cgit