diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-07-05 11:25:59 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2016-07-05 12:03:57 +0200 |
| commit | 8b27ace5c972b82cde1e9a6d6f771f28a2999e39 (patch) | |
| tree | 5cc635385247e22e6bbd1f44415a517a38a51f88 /src/util | |
| parent | 66ee2f40d0c9b526df8fa9ba7061772237b5d9e6 (diff) | |
| download | sssd-ipa_automatic_enterprise.tar.gz sssd-ipa_automatic_enterprise.tar.xz sssd-ipa_automatic_enterprise.zip | |
IPA/AD: globally set krb5 canonicalization flagipa_automatic_enterprise
If Kerberos principal canonicalization is configured in SSSD, currently
it is the default for the IPA provider, a configuration snippet is
generated for the system-wide libkrb5 configuration so that all
kerberized applications will use canonicalization by default.
Resolves https://fedorahosted.org/sssd/ticket/3041
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/domain_info_utils.c | 48 | ||||
| -rw-r--r-- | src/util/util.h | 2 |
2 files changed, 48 insertions, 2 deletions
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 50fae22e6..a3e427b84 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -658,7 +658,45 @@ done: #endif } -errno_t sss_write_krb5_conf_snippet(const char *path) +#define KRB5_LIBDEFAUTLS_CONFIG \ +"[libdefaults]\n" \ +" canonicalize = true" + +static errno_t sss_write_krb5_libdefaults_snippet(const char *path) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + const char *file_name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + file_name = talloc_asprintf(tmp_ctx, "%s/krb5_libdefaults", path); + if (file_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n", + file_name); + + ret = sss_write_krb5_snippet_common(file_name, KRB5_LIBDEFAUTLS_CONFIG); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n"); + goto done; + } + +done: + + talloc_free(tmp_ctx); + return ret; +} + +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize) { errno_t ret; errno_t err; @@ -680,6 +718,14 @@ errno_t sss_write_krb5_conf_snippet(const char *path) goto done; } + if (canonicalize) { + ret = sss_write_krb5_libdefaults_snippet(path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n"); + goto done; + } + } + ret = EOK; done: diff --git a/src/util/util.h b/src/util/util.h index 36d8231b9..92076488a 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -525,7 +525,7 @@ errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, errno_t sss_write_domain_mappings(struct sss_domain_info *domain); -errno_t sss_write_krb5_conf_snippet(const char *path); +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize); errno_t get_dom_names(TALLOC_CTX *mem_ctx, struct sss_domain_info *start_dom, |