summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/providers/ad/ad_init.c1
-rw-r--r--src/providers/ipa/ipa_init.c8
-rw-r--r--src/providers/krb5/krb5_child_handler.c16
-rw-r--r--src/providers/krb5/krb5_common.h8
-rw-r--r--src/providers/krb5/krb5_init.c1
5 files changed, 27 insertions, 7 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index c5d3fac2..39230767 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -254,6 +254,7 @@ sssm_ad_auth_init(struct be_ctx *bectx,
goto done;
}
+ krb5_auth_ctx->config_type = K5C_GENERIC;
krb5_auth_ctx->service = ad_options->service->krb5_service;
ret = ad_get_auth_options(krb5_auth_ctx, ad_options, bectx,
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index fe13b187..407ab166 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -300,7 +300,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
goto done;
}
krb5_auth_ctx->service = ipa_options->service->krb5_service;
- krb5_auth_ctx->is_ipa = true;
+
+ if (dp_opt_get_bool(id_ctx->ipa_options->basic,
+ IPA_SERVER_MODE) == true) {
+ krb5_auth_ctx->config_type = K5C_IPA_SERVER;
+ } else {
+ krb5_auth_ctx->config_type = K5C_IPA_CLIENT;
+ }
ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx;
ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path,
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 044c2719..8117d1e5 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -142,11 +142,17 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0;
- /* Always send PAC except for local IPA users */
- if (kr->krb5_ctx->is_ipa) {
- send_pac = kr->upn_from_different_realm ? 1 : 0;
- } else {
- send_pac = 1;
+ /* Always send PAC except for local IPA users and IPA server mode */
+ switch (kr->krb5_ctx->config_type) {
+ case K5C_IPA_CLIENT:
+ send_pac = kr->upn_from_different_realm ? 1 : 0;
+ break;
+ case K5C_IPA_SERVER:
+ send_pac = 0;
+ break;
+ default:
+ send_pac = 1;
+ break;
}
if (kr->pd->cmd == SSS_CMD_RENEW) {
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 27089ab9..e56bd496 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -91,6 +91,12 @@ struct deferred_auth_ctx;
struct renew_tgt_ctx;
struct sss_krb5_cc_be;
+enum krb5_config_type {
+ K5C_GENERIC,
+ K5C_IPA_CLIENT,
+ K5C_IPA_SERVER
+};
+
struct krb5_ctx {
/* opts taken from kinit */
/* in seconds */
@@ -130,7 +136,7 @@ struct krb5_ctx {
hash_table_t *wait_queue_hash;
- bool is_ipa;
+ enum krb5_config_type config_type;
};
struct remove_info_files_ctx {
diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
index c6ec496e..91f701a1 100644
--- a/src/providers/krb5/krb5_init.c
+++ b/src/providers/krb5/krb5_init.c
@@ -98,6 +98,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
ctx->action = INIT_PW;
ctx->opts = krb5_options->opts;
+ ctx->config_type = K5C_GENERIC;
krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
generated by cgit (git 2.34.1) at 2024-05-08 01:21:05 +0000