diff options
Diffstat (limited to 'daemons/ipa-kdb')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 9 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 1 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 23 |
3 files changed, 27 insertions, 6 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 3d5e15680..fbcb03bee 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx) vals[i]->bv_val, vals[i]->bv_len) == 0) { ipactx->config.disable_last_success = true; continue; - } - - if (strncasecmp("KDC:Disable Lockout", - vals[i]->bv_val, vals[i]->bv_len) == 0) { + } else if (strncasecmp("KDC:Disable Lockout", + vals[i]->bv_val, vals[i]->bv_len) == 0) { ipactx->config.disable_lockout = true; continue; + } else if (strncasecmp("KDC:Disable Default Preauth for SPNs", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->config.disable_preauth_for_spns = true; } } } diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index a6f448150..1fdb409df 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -93,6 +93,7 @@ struct ipadb_global_config { bool disable_lockout; char **authz_data; enum ipadb_user_auth user_auth; + bool disable_preauth_for_spns; }; struct ipadb_context { diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 629f81932..e32be856a 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, return 0; } +static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx, + krb5_db_entry *entry) +{ + const struct ipadb_global_config *config; + struct ipadb_e_data *ied; + + config = ipadb_get_global_config(ipactx); + if (config->disable_preauth_for_spns) { + ied = (struct ipadb_e_data *)entry->e_data; + if (ied && ied->ipa_user != true) { + /* not a user, assume SPN */ + return 0; + } + } + + /* By default require preauth for all principals */ + return KRB5_KDB_REQUIRES_PRE_AUTH; +} + static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, LDAPMessage *lentry, krb5_db_entry *entry, @@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, if (ret == 0) { entry->attributes |= result; } else { - entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; + entry->attributes |= maybe_require_preauth(ipactx, entry); } } } @@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, entry->max_renewable_life = 604800; } if (polmask & TKTFLAGS_BIT) { - entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; + entry->attributes |= maybe_require_preauth(ipactx, entry); } kerr = 0; |