From a309525cc47da726461aec1f238165c17aade2a6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 15 Aug 2017 10:20:28 +0200
Subject: IPA: Only generate kdcinfo files on clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In some cases, IPA masters end up having a broken SSSD configuration
that also includes the SRV records. This can cause the kdcinfo files to
point to a different master which uses a different PKINIT certificate
which is only valid for that IPA master. This can result e.g. in webui
not working.

This patch prevents the kdcinfo files from being generated on the IPA
masters, but keep generating them on the clients.

Not generating kdcinfo files on masters has no negative performance
impact, because libkrb5 is configured via krb5.conf to point to self
anyway.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ipa/ipa_common.c |  9 ---------
 src/providers/ipa/ipa_init.c   | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 6bb1e679c..9b4ad31d1 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -736,15 +736,6 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
               ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name, value);
     }
 
-    /* Set flag that controls whether we want to write the
-     * kdcinfo files at all
-     */
-    ipa_opts->service->krb5_service->write_kdcinfo = \
-        dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO);
-    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
-          ipa_opts->auth[KRB5_USE_KDCINFO].opt_name,
-          ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false");
-
     *_opts = ipa_opts->auth;
     ret = EOK;
 
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 3335e3ad2..6df167805 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -405,6 +405,24 @@ static errno_t ipa_init_krb5_auth_ctx(TALLOC_CTX *mem_ctx,
         return ret;
     }
 
+    /* On clients, set flag that controls whether we want to write the
+     * kdcinfo files at all. Never write kdcinfo files on servers as
+     * we always want to talk to 'self' anyway and we've had broken
+     * sssd configurations with _srv_ on the server which wwould point
+     * to other KDCs with PKINIT certs not trusted on this IDM server.
+     */
+    if (server_mode) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "Disabling kdcinfo files on IDM server\n");
+        dp_opt_set_bool(ipa_options->auth, KRB5_USE_KDCINFO, false);
+    }
+
+    ipa_options->service->krb5_service->write_kdcinfo = \
+        dp_opt_get_bool(ipa_options->auth, KRB5_USE_KDCINFO);
+    DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n",
+          ipa_options->auth[KRB5_USE_KDCINFO].opt_name,
+          ipa_options->service->krb5_service->write_kdcinfo ? "true" : "false");
+
     *_krb5_auth_ctx = krb5_auth_ctx;
     return EOK;
 }
-- 
cgit