> > > The new option needs to be added to the sss-krb5 man page. > > > > In the second patch. > > Why? Please squash them to make cherry-picking easier, one has no sense > without the other I think
As you wish. Patch attached. Jan
From 2ab988f071419609d6298c3803e41300329c3796 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Wed, 19 Oct 2011 03:27:47 -0400 Subject: [PATCH] Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957 --- src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 9 ++++++--- src/config/etc/sssd.api.d/sssd-krb5.conf | 1 + src/man/sssd-ipa.5.xml | 15 +++++++++++++++ src/man/sssd-krb5.5.xml | 14 ++++++++++++++ src/providers/ipa/ipa_common.c | 3 ++- src/providers/ipa/ipa_common.h | 2 +- src/providers/krb5/krb5_child.c | 15 +++++++++++++++ src/providers/krb5/krb5_common.c | 9 ++++++++- src/providers/krb5/krb5_common.h | 2 ++ 10 files changed, 65 insertions(+), 6 deletions(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index e77382110cc21f3403ef22e1f543b483bccc6834..ca1a2002e586d30a96dda15b2138ae5694b773a2 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -120,6 +120,7 @@ option_strings = { 'krb5_renew_interval' : _("Time between two checks for renewal"), 'krb5_use_fast' : _("Enables FAST"), 'krb5_fast_principal' : _("Selects the principal to use for FAST"), + 'krb5_canonicalize' : _("Enables FAST"), # [provider/krb5/chpass] 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 79c18bcf3cb8f2baf0ac12b64e5e25ab6c370b55..16ddfe5012654dc1600b79ad90493a409b0d5c9d 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -566,7 +566,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal']) + 'krb5_fast_principal', + 'krb5_canonicalize']) options = domain.list_options() @@ -719,7 +720,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal'] + 'krb5_fast_principal', + 'krb5_canonicalize'] self.assertTrue(type(options) == dict, "Options should be a dictionary") @@ -882,7 +884,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal']) + 'krb5_fast_principal', + 'krb5_canonicalize']) options = domain.list_options() diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index 993763b6eb8277afdbd75ef1b4805869aadd9621..c52df1a6d9cd20eecfb13c5cea446fa7b61d4280 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -16,6 +16,7 @@ krb5_lifetime = str, None, false krb5_renew_interval = int, None, false krb5_use_fast = str, None, false krb5_fast_principal = str, None, false +krb5_canonicalize = bool, None, false [provider/krb5/access] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index fb59279238c039a6cd282bee4743e9cd0e6746ab..0e59576ae52c7ef5e7c9f4c93ac8159406ac2e44 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,21 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>krb5_canonicalize (boolean)</term> + <listitem> + <para> + Specifies if the host and user pricipal should be + canonicalized. + </para> + + <para> + Default: true + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ipa_hbac_refresh (integer)</term> <listitem> diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index d629d876f929d6c077c4e560ccecce2284309595..e3f616ad4628f1c277820b00208f5c84541813bd 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -405,6 +405,20 @@ </listitem> </varlistentry> + <varlistentry> + <term>krb5_canonicalize (boolean)</term> + <listitem> + <para> + Specifies if the host and user pricipal should be + canonicalized. + </para> + + <para> + Default: false + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index c622945684112a353b8667fbaa53432b4865151f..be67dec9acfd8a59e6024ad98e4a3a8e691abc54 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -175,7 +175,8 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE } }; int ipa_get_options(TALLOC_CTX *memctx, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 575911504920824ffdd6bcb365c513ee156c2c0b..20074b45b521febb854fbbaa359fafea2f24c64c 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -40,7 +40,7 @@ struct ipa_service { /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_KRB5_OPTS_TEST 14 +#define IPA_KRB5_OPTS_TEST 15 enum ipa_basic_opt { IPA_DOMAIN = 0, diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index ec2251e43807f8df3aaab4058eb69f6030d7ff2e..63f2d0607183caef0553748f9f4b85a2698756a4 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -586,6 +586,18 @@ done: } +static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) +{ + int canonicalize = 0; + char *tmp_str; + + tmp_str = getenv(SSSD_KRB5_CANONICALIZE); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + canonicalize = 1; + } + krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +} + static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_principal princ, krb5_keytab keytab, @@ -601,6 +613,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_get_init_creds_opt_set_address_list(&options, NULL); krb5_get_init_creds_opt_set_forwardable(&options, 0); krb5_get_init_creds_opt_set_proxiable(&options, 0); + krb5_set_canonicalize(&options); kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, &options); @@ -1482,6 +1495,8 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline) } } + krb5_set_canonicalize(kr->options); + kerr = check_fast_ccache(kr->ctx, fast_principal, fast_principal_realm, kr->keytab, kr, &kr->fast_ccname); if (kerr != 0) { diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 4e792861bdf9891628750ecee849d522cdf2b08e..4675e0a1f18a9608affaec5dfb5ce8a3f16e3011 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -45,7 +45,8 @@ struct dp_option default_krb5_opts[] = { { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } }; errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id, @@ -169,6 +170,12 @@ errno_t check_and_export_options(struct dp_option *opts, } } + if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) { + setenv(SSSD_KRB5_CANONICALIZE, "true", 1); + } else { + setenv(SSSD_KRB5_CANONICALIZE, "false", 1); + } + dummy = dp_opt_get_cstring(opts, KRB5_KDC); if (dummy == NULL) { DEBUG(1, ("No KDC explicitly configured, using defaults.\n")); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 670fd1a51d95f594ad9a57a20619898cb0ef38d0..950505f1208f164f9267aacbf49da136b3cc0073 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -39,6 +39,7 @@ #define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME" #define SSSD_KRB5_USE_FAST "SSSD_KRB5_USE_FAST" #define SSSD_KRB5_FAST_PRINCIPAL "SSSD_KRB5_FAST_PRINCIPAL" +#define SSSD_KRB5_CANONICALIZE "SSSD_KRB5_CANONICALIZE" #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" @@ -61,6 +62,7 @@ enum krb5_opts { KRB5_RENEW_INTERVAL, KRB5_USE_FAST, KRB5_FAST_PRINCIPAL, + KRB5_CANONICALIZE, KRB5_OPTS }; -- 1.7.6.2
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
