From 48657b5de36a63b0c13ed5d53065871d59d8f10b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 19 Jul 2013 08:36:28 +0300 Subject: KRB5: Do not send PAC in server mode The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case. --- src/providers/ipa/ipa_init.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/providers/ipa/ipa_init.c') diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index fe13b187..407ab166 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -300,7 +300,13 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, goto done; } krb5_auth_ctx->service = ipa_options->service->krb5_service; - krb5_auth_ctx->is_ipa = true; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == true) { + krb5_auth_ctx->config_type = K5C_IPA_SERVER; + } else { + krb5_auth_ctx->config_type = K5C_IPA_CLIENT; + } ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; ret = ipa_get_auth_options(ipa_options, bectx->cdb, bectx->conf_path, -- cgit