6 files changed, 32 insertions, 10 deletions

diff --git a/API.txt b/API.txt
index e2976e0e2..5b75413f9 100644
--- a/API.txt
+++ b/API.txt
@@ -766,7 +766,7 @@ args: 0,25,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index 7053bea9d..825aace1b 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=163
-# Last change: jcholast - replica install: add remote connection check over API
+IPA_API_VERSION_MINOR=164
+# Last change: simo - add optional string to disable preauth for SPNs
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 3d5e15680..fbcb03bee 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
                             vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_last_success = true;
                 continue;
-            }
-
-            if (strncasecmp("KDC:Disable Lockout",
-                            vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            } else if (strncasecmp("KDC:Disable Lockout",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_lockout = true;
                 continue;
+            } else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
+                ipactx->config.disable_preauth_for_spns = true;
             }
         }
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index a6f448150..1fdb409df 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -93,6 +93,7 @@ struct ipadb_global_config {
 	bool disable_lockout;
 	char **authz_data;
 	enum ipadb_user_auth user_auth;
+    bool disable_preauth_for_spns;
 };
 
 struct ipadb_context {
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 629f81932..e32be856a 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     return 0;
 }
 
+static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
+                                        krb5_db_entry *entry)
+{
+    const struct ipadb_global_config *config;
+    struct ipadb_e_data *ied;
+
+    config = ipadb_get_global_config(ipactx);
+    if (config->disable_preauth_for_spns) {
+        ied = (struct ipadb_e_data *)entry->e_data;
+        if (ied && ied->ipa_user != true) {
+            /* not a user, assume SPN */
+            return 0;
+        }
+    }
+
+    /* By default require preauth for all principals */
+    return KRB5_KDB_REQUIRES_PRE_AUTH;
+}
+
 static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                                              LDAPMessage *lentry,
                                              krb5_db_entry *entry,
@@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                 if (ret == 0) {
                     entry->attributes |= result;
                 } else {
-                    entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+                    entry->attributes |= maybe_require_preauth(ipactx, entry);
                 }
             }
         }
@@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
             entry->max_renewable_life = 604800;
         }
         if (polmask & TKTFLAGS_BIT) {
-            entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+            entry->attributes |= maybe_require_preauth(ipactx, entry);
         }
 
         kerr = 0;
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index 4c8c2dd44..848b41e7b 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -205,7 +205,8 @@ class config(LDAPObject):
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
             values=(u'AllowNThash',
-                    u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
+                    u'KDC:Disable Last Success', u'KDC:Disable Lockout',
+                    u'KDC:Disable Default Preauth for SPNs'),
             csv=True,
         ),
         Str('ipaselinuxusermaporder',