subdomains: inherit ldap_krb5_keytab

If a non-default keytab is configured for the parent domain the
subdomains will still use the default keytab because the alternative
keytab is not inherited. As a consequence SSSD might not be able to
connect to services in the subdomain because the default keytab is
either not present or does not have suitable keys.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2 files changed, 5 insertions, 0 deletions

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e03580bf7..c6ed2e0ee 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -530,6 +530,10 @@
                             ldap_user_principal
                         </para>
                         <para>
+                            ldap_krb5_keytab (the value of krb5_keytab will be
+                            used if ldap_krb5_keytab is not set explicitly)
+                        </para>
+                        <para>
                             Example:
                             <programlisting>
 subdomain_inherit = ldap_purge_cache_timeout
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index c0863a6d5..888cbb509 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -250,6 +250,7 @@ static void sdap_inherit_basic_options(char **inherit_opt_list,
     int inherit_options[] = {
         SDAP_PURGE_CACHE_TIMEOUT,
         SDAP_AD_USE_TOKENGROUPS,
+        SDAP_KRB5_KEYTAB,
         SDAP_OPTS_BASIC     /* sentinel */
     };
     int i;