diff options
author | Sumit Bose <sbose@redhat.com> | 2016-07-05 11:25:59 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-06 19:12:11 +0200 |
commit | e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 (patch) | |
tree | 38c612b250ea454debd1c037440b795f451a32ef /src/providers | |
parent | d278822ab3ab18f2c5b012cd055f01f06e687e49 (diff) | |
download | sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.gz sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.xz sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.zip |
IPA/AD: globally set krb5 canonicalization flag
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ad/ad_subdomains.c | 7 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 7 |
2 files changed, 11 insertions, 3 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 5b0bee866..05dfc3085 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) { const char *path; errno_t ret; + bool canonicalize; path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, AD_KRB5_CONFD_PATH); - ret = sss_write_krb5_conf_snippet(path); + canonicalize = dp_opt_get_bool( + subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, + KRB5_CANONICALIZE); + + ret = sss_write_krb5_conf_snippet(path, canonicalize); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); /* Just continue */ diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index cb443db9c..a02a65d97 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -76,8 +76,11 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) "Re-initializing domain %s\n", ctx->be_ctx->domain->name); ret = sss_write_krb5_conf_snippet( - dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, - IPA_KRB5_CONFD_PATH)); + dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, + IPA_KRB5_CONFD_PATH), + dp_opt_get_bool( + ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, + KRB5_CANONICALIZE)); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); /* Just continue */ |