IPA/AD: globally set krb5 canonicalization flag

If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2016-07-05 11:25:59 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2016-07-06 19:12:11 +0200
commit: e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 (patch)
tree: 38c612b250ea454debd1c037440b795f451a32ef /src/providers
parent: d278822ab3ab18f2c5b012cd055f01f06e687e49 (diff)
download: sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.gz
sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.xz
sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.zip
2 files changed, 11 insertions, 3 deletions
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5b0bee866..05dfc3085 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -504,11 +504,16 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 {
     const char *path;
     errno_t ret;
+    bool canonicalize;
 
     path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
                              AD_KRB5_CONFD_PATH);
 
-    ret = sss_write_krb5_conf_snippet(path);
+    canonicalize = dp_opt_get_bool(
+                             subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts,
+                             KRB5_CANONICALIZE);
+
+    ret = sss_write_krb5_conf_snippet(path, canonicalize);
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
         /* Just continue */
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index cb443db9c..a02a65d97 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -76,8 +76,11 @@ ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx)
           "Re-initializing domain %s\n", ctx->be_ctx->domain->name);
 
     ret = sss_write_krb5_conf_snippet(
-                              dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
-                                                IPA_KRB5_CONFD_PATH));
+                          dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic,
+                                            IPA_KRB5_CONFD_PATH),
+                          dp_opt_get_bool(
+                    ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts,
+                    KRB5_CANONICALIZE));
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n");
         /* Just continue */
author	Sumit Bose <sbose@redhat.com>	2016-07-05 11:25:59 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2016-07-06 19:12:11 +0200
commit	e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 (patch)
tree	38c612b250ea454debd1c037440b795f451a32ef /src/providers
parent	d278822ab3ab18f2c5b012cd055f01f06e687e49 (diff)
download	sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.gz sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.tar.xz sssd-e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483.zip