diff options
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_mspac.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 881a7a71..efb4cb9b 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -637,6 +637,24 @@ static bool is_cross_realm_krbtgt(krb5_const_principal princ) return true; } +static bool is_service_of_type(krb5_const_principal princ, const char *type) +{ + size_t len; + + if (princ->length < 2) { + return false; + } + + len = strlen(type); + + if ((princ->data[0].length == len) || + (strncasecmp(princ->data[0].data, type, len) == 0)) { + return true; + } + + return false; +} + static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid, uint32_t rid) { @@ -1362,6 +1380,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, krb5_error_code kerr; krb5_pac pac = NULL; krb5_data pac_data; + bool is_nfs = false; /* When using s4u2proxy client_princ actually refers to the proxied user * while client->princ to the proxy service asking for the TGS on behalf @@ -1372,17 +1391,32 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, ks_client_princ = client->princ; } + /* NFS Server on Linux is limited and will choke on big tickets. + * So avoid attachnig the PAC to nfs/ tickets for now. + * FIXME: remove this when we have interface to support disabling + * PACs on arbitrary services */ + if (is_service_of_type(ks_client_princ, "nfs") || + is_service_of_type(server->princ, "nfs")) { + is_nfs = true; + } + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { + if (is_nfs) { + *signed_auth_data = NULL; + kerr = 0; + goto done; + } + kerr = ipadb_get_pac(context, client, &pac); if (kerr != 0 && kerr != ENOENT) { goto done; } } - if (!is_as_req) { + if (!is_as_req & !is_nfs) { /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, &pac_auth_data); |