AD: use krb5_keytab for subdomain initialization

During the initialization of AD subdomains parameters like the SASL auth
id are determined. Since subdomains use a default set of the AD specific
configuration options the default keytab will be used. If krb5_keytab is
set in sssd.conf for the AD domain this keytab should be used for the
subdomains (domains of the same AD forest) as well.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4 files changed, 22 insertions, 15 deletions

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 4f8223879..be16b4306 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -139,7 +139,8 @@ static errno_t
 set_common_ad_trust_opts(struct ad_options *ad_options,
                          const char *realm,
                          const char *ad_domain,
-                         const char *hostname)
+                         const char *hostname,
+                         const char *keytab)
 {
     errno_t ret;
 
@@ -161,6 +162,14 @@ set_common_ad_trust_opts(struct ad_options *ad_options,
         return ret;
     }
 
+    if (keytab != NULL) {
+        ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n");
+            return ret;
+        }
+    }
+
     return EOK;
 }
 
@@ -168,7 +177,8 @@ struct ad_options *
 ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
                              const char *realm,
                              const char *ad_domain,
-                             const char *hostname)
+                             const char *hostname,
+                             const char *keytab)
 {
     struct ad_options *ad_options;
     errno_t ret;
@@ -176,7 +186,8 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
     ad_options = ad_create_default_options(mem_ctx);
     if (ad_options == NULL) return NULL;
 
-    ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname);
+    ret = set_common_ad_trust_opts(ad_options, realm, ad_domain, hostname,
+                                   keytab);
     if (ret != EOK) {
         talloc_free(ad_options);
         return NULL;
@@ -212,16 +223,8 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
     }
 
     ret = set_common_ad_trust_opts(ad_options, realm,
-                                   ad_domain, hostname);
-    if (ret != EOK) {
-        talloc_free(ad_options);
-        return NULL;
-    }
-
-    /* Set AD_KEYTAB to the special 1way keytab */
-    ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab);
+                                   ad_domain, hostname, keytab);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "Cannot set trust keytab\n");
         talloc_free(ad_options);
         return NULL;
     }
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index d61be42cc..37178d611 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -110,7 +110,8 @@ struct ad_options *ad_create_default_options(TALLOC_CTX *mem_ctx);
 struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
                                                 const char *realm,
                                                 const char *ad_domain,
-                                                const char *hostname);
+                                                const char *hostname,
+                                                const char *keytab);
 
 struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
                                                 const char *ad_domain,
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 4799b518a..4bdd2a7ad 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -108,9 +108,11 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
     errno_t ret;
     const char *realm;
     const char *hostname;
+    const char *keytab;
 
     realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
     hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
+    keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB);
     ad_domain = subdom->name;
     if (realm == NULL || hostname == NULL || ad_domain == NULL) {
         DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n");
@@ -118,7 +120,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
     }
 
     ad_options = ad_create_2way_trust_options(id_ctx, realm,
-                                              ad_domain, hostname);
+                                              ad_domain, hostname, keytab);
     if (ad_options == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n");
         talloc_free(ad_options);
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 33c76cad9..b870d5552 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -176,7 +176,8 @@ static struct ad_options *ipa_ad_options_new(struct ipa_id_ctx *id_ctx,
         ad_options = ad_create_2way_trust_options(id_ctx,
                                                   id_ctx->server_mode->realm,
                                                   subdom->name,
-                                                  id_ctx->server_mode->hostname);
+                                                  id_ctx->server_mode->hostname,
+                                                  NULL);
     } else if (direction & LSA_TRUST_DIRECTION_INBOUND) {
         ad_options = ipa_create_1way_trust_ctx(id_ctx, forest,
                                                forest_realm, subdom);