> On Tue, Nov 01, 2011 at 05:11:28PM +0100, Jan Zelený wrote: > > > On Tue, 2011-11-01 at 16:03 +0100, Jakub Hrozek wrote: > > > > On Tue, Nov 01, 2011 at 03:44:04PM +0100, Jan Zelený wrote: > > > > > > On Thu, Oct 20, 2011 at 10:48:08AM +0200, Jan Zelený wrote: > > > > > > > https://fedorahosted.org/sssd/ticket/957 > > > > > > > > > > > > > > Jan > > > > > > > > > > > > Nack: > > > > > > > > > > > > Please fix the unittests. > > > > > > > > > > > > The new option needs to be added to the sss-krb5 man page. > > > > > > > > > > > > I think it would make sense to rebase this patch on top of > > > > > > "[PATCH] Add krb5_fast_principal to SSSDConfig API". > > > > > > > > > > > > If you're staying with the env variable and not doing the command > > > > > > line options as Sumit suggested, then it's easier and less error > > > > > > prone to just > > > > > > > > > > > > check if the env variable is set to anything: > > > > > > tmp_str = getenv(SSSD_KRB5_CANONICALIZE); > > > > > > if (tmp_str) { > > > > > > > > > > > > set_canonicalize(); > > > > > > > > > > > > } > > > > > > > > > > > > Maybe it would be nicer to wrap the above in a function to avoid > > > > > > duplication. > > > > > > > > > > > > Does it make sense to pass the option to the LDAP child as well? > > > > > > > > > > > > I'm not sure if we still plan to support old Kerberos libraries, > > > > > > such as RHEL5 with SSSD 1.7.0+ but if we do, you also need to > > > > > > create a wrapper around > > > > > > krb5_get_init_creds_opt_set_canonicalize(). See > > > > > > sss_krb5_get_init_creds_opt_set_expire_callback() for an > > > > > > example. > > > > > > > > > > I'm sending corrected set of patches. Some errors were fixed in the > > > > > first one and the second one covers support of canonicalization in > > > > > LDAP/IPA provider for connections created in ldap_child. > > > > > > > > > > Jan > > > > > > > > As discussed on IRC, please also detect if > > > > krb5_get_init_creds_opt_set_canonicalize() is available during > > > > configure and create a wrapper that just returns EOK if not > > > > available. > > > > > > Please also note in the manpages that this feature is only supported on > > > Kerberos 1.? and later (I don't know offhand when it was introduced, > > > probably 1.7). > > > > All done, patches attached. > > > > Jan > > Ack to patch #1. > > Patch #2 needs to canonicalize in other cases than FAST as well.
Thanks for catching that, I somehow missed the FAST condition there. > Patch #3 needs to change dp_opt_get_string() for dp_opt_get_bool() > otherwise the option is not read. Fixed New set of patches attached. Thanks Jan
From 74996329176044b3a6b994578dee03b33bec0a71 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Tue, 1 Nov 2011 10:19:04 -0400 Subject: [PATCH 3/3] Support to request canonicalization in LDAP/IPA provider https://fedorahosted.org/sssd/ticket/957 --- src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/man/sssd-ldap.5.xml | 15 +++++++++++++++ src/providers/ipa/ipa_common.c | 1 + src/providers/ipa/ipa_common.h | 2 +- src/providers/ldap/ldap_child.c | 8 ++++++++ src/providers/ldap/ldap_common.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_async.h | 1 + src/providers/ldap/sdap_async_connection.c | 15 +++++++++++++++ 10 files changed, 45 insertions(+), 1 deletions(-) diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index b5264bacec003c7807abcf0343d11bf8365a158c..9ea45285ec93c4afe0ea2210c5a27a68de894b3f 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -27,6 +27,7 @@ krb5_server = str, None, false krb5_realm = str, None, false krb5_auth_timeout = int, None, false krb5_kpasswd = str, None, false +krb5_canonicalize = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 78a7fa34b8bc10279a8d6e4268fba3914d606395..f76ce19a158f1f78f626aed75b178b292e61dc16 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -19,6 +19,7 @@ ldap_sasl_authid = str, None, false krb5_kdcip = str, None, false krb5_server = str, None, false krb5_realm = str, None, false +krb5_canonicalize = bool, None, false ldap_krb5_keytab = str, None, false ldap_krb5_init_creds = bool, None, false ldap_entry_usn = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 1e1958e71d3ba597fe9974ff04ba4ff137f9ed3b..f1f84ad24b9a0a105605d03fdf162cbed3a2da0a 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1203,6 +1203,21 @@ </varlistentry> <varlistentry> + <term>krb5_canonicalize (boolean)</term> + <listitem> + <para> + Specifies if the host pricipal should be canonicalized + when connecting to LDAP server. This feature is + available with MIT Kerberos >= 1.7 + </para> + + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_pwd_policy (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index be67dec9acfd8a59e6024ad98e4a3a8e691abc54..82cc1a9ce507644f1f004a78931ffb15fddf4d8d 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -78,6 +78,7 @@ struct dp_option ipa_def_ldap_opts[] = { /* use the same parm name as the krb5 module so we set it only once */ { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 20074b45b521febb854fbbaa359fafea2f24c64c..40c5e53205285d761a43f6f0a77764006a5d79ca 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 52 +#define IPA_OPTS_BASIC_TEST 53 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index b0051fa9177ca84e671d2d1829533910da6bb0c9..02c7e55737ad743ba05e7138cf1e5554939dfdc0 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -139,6 +139,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, char *realm_name = NULL; char *full_princ = NULL; char *default_realm = NULL; + char *tmp_str = NULL; krb5_context context = NULL; krb5_keytab keytab = NULL; krb5_ccache ccache = NULL; @@ -147,6 +148,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_get_init_creds_opt options; krb5_error_code krberr; krb5_timestamp kdc_time_offset; + int canonicalize = 0; int kdc_time_offset_usec; int ret; @@ -253,6 +255,12 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_get_init_creds_opt_set_proxiable(&options, 0); krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); + tmp_str = getenv("KRB5_CANONICALIZE"); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + canonicalize = 1; + } + sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, keytab, 0, NULL, &options); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index aad42bac91537a3743013d5f77ce207fe9ab58d3..de5abcc7214b9742bc8066a0227f57acb4774291 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -69,6 +69,7 @@ struct dp_option default_basic_opts[] = { /* use the same parm name as the krb5 module so we set it only once */ { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 7d704b55f1bb8082746763e3b379c38d015a6378..a93f51c861435cd8ab6fefd1a678b29ad4eaf7c1 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -183,6 +183,7 @@ enum sdap_basic_opt { SDAP_KRB5_KINIT, SDAP_KRB5_KDC, SDAP_KRB5_REALM, + SDAP_KRB5_CANONICALIZE, SDAP_PWD_POLICY, SDAP_REFERRALS, SDAP_ACCOUNT_CACHE_EXPIRATION, diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 8714e2bad7589b93c21530644c64d66aea84ffea..e6fd1e34aef5d533ed974c852f7d8247e5927ce0 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -87,6 +87,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, const char *keytab, const char *principal, const char *realm, + bool canonicalize, int lifetime); int sdap_kinit_recv(struct tevent_req *req, diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c index c69b9bce0f4649e76138168a4883c138ff5c721f..076e7ee3708d97341bd3cd2a0269331557ff19f1 100644 --- a/src/providers/ldap/sdap_async_connection.c +++ b/src/providers/ldap/sdap_async_connection.c @@ -784,6 +784,7 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, const char *keytab, const char *principal, const char *realm, + bool canonicalize, int lifetime) { struct tevent_req *req; @@ -821,6 +822,18 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, } } + if (canonicalize) { + ret = setenv("KRB5_CANONICALIZE", "true", 1); + } else { + ret = setenv("KRB5_CANONICALIZE", "false", 1); + } + if (ret == -1) { + DEBUG(2, ("Failed to set KRB5_CANONICALIZE to %s\n", + ((canonicalize)?"true":"false"))); + talloc_free(req); + return NULL; + } + subreq = sdap_kinit_next_kdc(req); if (!subreq) { talloc_free(req); @@ -1400,6 +1413,8 @@ static void sdap_cli_kinit_step(struct tevent_req *req) dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID), realm, + dp_opt_get_bool(state->opts->basic, + SDAP_KRB5_CANONICALIZE), dp_opt_get_int(state->opts->basic, SDAP_KRB5_TICKET_LIFETIME)); if (!subreq) { -- 1.7.6.2
From 59dff8e5b8e6483a02885b0e7ba55ba95b019474 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Tue, 1 Nov 2011 17:05:52 +0100
Subject: [PATCH 1/3] Add wrapper for krb5_get_init_creds_opt_set_canonicalize
---
src/external/krb5.m4 | 1 +
src/util/sss_krb5.c | 10 ++++++++++
src/util/sss_krb5.h | 3 +++
3 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/src/external/krb5.m4 b/src/external/krb5.m4
index ce442cecfba8e01311ec936b8b070fed7dd5836f..40d632ce595e206197b7fd9dc86e4377fd5938e8 100644
--- a/src/external/krb5.m4
+++ b/src/external/krb5.m4
@@ -42,6 +42,7 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
krb5_get_init_creds_opt_set_expire_callback \
krb5_get_init_creds_opt_set_fast_ccache_name \
krb5_get_init_creds_opt_set_fast_flags \
+ krb5_get_init_creds_opt_set_canonicalize \
krb5_unparse_name_flags])
CFLAGS=$SAVE_CFLAGS
LIBS=$SAVE_LIBS
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index ddd79be82e673b63899854419e43b737b5e1c543..3311ef542f13aebd2e322be5ba425f4fc1def838 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -913,3 +913,13 @@ cleanup:
return ret;
#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
}
+
+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
+ int canonicalize)
+{
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE
+ return krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
+#else
+ DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not avaliable!\n"));
+#endif
+}
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 15f862b47184e7a40dd6ff6347026d91344ea834..039b79af06ac31be4c08b8737d0c794c98eb9a26 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -112,4 +112,7 @@ krb5_error_code
sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
int flags, char **name);
+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
+ int canonicalize);
+
#endif /* __SSS_KRB5_H__ */
--
1.7.6.2
From c769d2a5bc2d38200c7423c543bca2247ece8d2b Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Wed, 19 Oct 2011 03:27:47 -0400 Subject: [PATCH 2/3] Add support to request canonicalization on krb AS requests https://fedorahosted.org/sssd/ticket/957 --- src/config/SSSDConfig.py | 1 + src/config/SSSDConfigTest.py | 9 ++++++--- src/config/etc/sssd.api.d/sssd-krb5.conf | 1 + src/man/sssd-ipa.5.xml | 17 +++++++++++++++++ src/man/sssd-krb5.5.xml | 15 +++++++++++++++ src/providers/ipa/ipa_common.c | 3 ++- src/providers/ipa/ipa_common.h | 2 +- src/providers/krb5/krb5_child.c | 15 +++++++++++++++ src/providers/krb5/krb5_common.c | 9 ++++++++- src/providers/krb5/krb5_common.h | 2 ++ 10 files changed, 68 insertions(+), 6 deletions(-) diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index e77382110cc21f3403ef22e1f543b483bccc6834..172c1f797eae283dc3150f642aac318bb1f58dd1 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -120,6 +120,7 @@ option_strings = { 'krb5_renew_interval' : _("Time between two checks for renewal"), 'krb5_use_fast' : _("Enables FAST"), 'krb5_fast_principal' : _("Selects the principal to use for FAST"), + 'krb5_canonicalize' : _("Enables principal canonicalization"), # [provider/krb5/chpass] 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 79c18bcf3cb8f2baf0ac12b64e5e25ab6c370b55..16ddfe5012654dc1600b79ad90493a409b0d5c9d 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -566,7 +566,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal']) + 'krb5_fast_principal', + 'krb5_canonicalize']) options = domain.list_options() @@ -719,7 +720,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal'] + 'krb5_fast_principal', + 'krb5_canonicalize'] self.assertTrue(type(options) == dict, "Options should be a dictionary") @@ -882,7 +884,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'krb5_lifetime', 'krb5_renew_interval', 'krb5_use_fast', - 'krb5_fast_principal']) + 'krb5_fast_principal', + 'krb5_canonicalize']) options = domain.list_options() diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index 993763b6eb8277afdbd75ef1b4805869aadd9621..c52df1a6d9cd20eecfb13c5cea446fa7b61d4280 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -16,6 +16,7 @@ krb5_lifetime = str, None, false krb5_renew_interval = int, None, false krb5_use_fast = str, None, false krb5_fast_principal = str, None, false +krb5_canonicalize = bool, None, false [provider/krb5/access] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index fb59279238c039a6cd282bee4743e9cd0e6746ab..2c1a0ed8c37b4429b1929637807d3cbedcca1d68 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -175,6 +175,23 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>krb5_canonicalize (boolean)</term> + <listitem> + <para> + Specifies if the host and user pricipal should be + canonicalized when connecting to IPA LDAP and also for AS + requests. This feature is available with MIT + Kerberos >= 1.7 + </para> + + <para> + Default: true + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ipa_hbac_refresh (integer)</term> <listitem> diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index d629d876f929d6c077c4e560ccecce2284309595..3f2f33e311cb0b292795fbb862eef2963b91ce1b 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -405,6 +405,21 @@ </listitem> </varlistentry> + <varlistentry> + <term>krb5_canonicalize (boolean)</term> + <listitem> + <para> + Specifies if the host and user pricipal should be + canonicalized. This feature is available with MIT + Kerberos >= 1.7 + </para> + + <para> + Default: false + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index c622945684112a353b8667fbaa53432b4865151f..be67dec9acfd8a59e6024ad98e4a3a8e691abc54 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -175,7 +175,8 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE } }; int ipa_get_options(TALLOC_CTX *memctx, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 575911504920824ffdd6bcb365c513ee156c2c0b..20074b45b521febb854fbbaa359fafea2f24c64c 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -40,7 +40,7 @@ struct ipa_service { /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_KRB5_OPTS_TEST 14 +#define IPA_KRB5_OPTS_TEST 15 enum ipa_basic_opt { IPA_DOMAIN = 0, diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index ec2251e43807f8df3aaab4058eb69f6030d7ff2e..fe87210947cb7b826d3c9b18beb9fbf96ef5a734 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -586,6 +586,18 @@ done: } +static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts) +{ + int canonicalize = 0; + char *tmp_str; + + tmp_str = getenv(SSSD_KRB5_CANONICALIZE); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + canonicalize = 1; + } + sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +} + static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_principal princ, krb5_keytab keytab, @@ -601,6 +613,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, krb5_get_init_creds_opt_set_address_list(&options, NULL); krb5_get_init_creds_opt_set_forwardable(&options, 0); krb5_get_init_creds_opt_set_proxiable(&options, 0); + krb5_set_canonicalize(&options); kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, &options); @@ -1444,6 +1457,8 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline) } if (!offline) { + krb5_set_canonicalize(kr->options); + use_fast_str = getenv(SSSD_KRB5_USE_FAST); if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) { DEBUG(9, ("Not using FAST.\n")); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 4e792861bdf9891628750ecee849d522cdf2b08e..4675e0a1f18a9608affaec5dfb5ce8a3f16e3011 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -45,7 +45,8 @@ struct dp_option default_krb5_opts[] = { { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE } }; errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id, @@ -169,6 +170,12 @@ errno_t check_and_export_options(struct dp_option *opts, } } + if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) { + setenv(SSSD_KRB5_CANONICALIZE, "true", 1); + } else { + setenv(SSSD_KRB5_CANONICALIZE, "false", 1); + } + dummy = dp_opt_get_cstring(opts, KRB5_KDC); if (dummy == NULL) { DEBUG(1, ("No KDC explicitly configured, using defaults.\n")); diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 670fd1a51d95f594ad9a57a20619898cb0ef38d0..950505f1208f164f9267aacbf49da136b3cc0073 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -39,6 +39,7 @@ #define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME" #define SSSD_KRB5_USE_FAST "SSSD_KRB5_USE_FAST" #define SSSD_KRB5_FAST_PRINCIPAL "SSSD_KRB5_FAST_PRINCIPAL" +#define SSSD_KRB5_CANONICALIZE "SSSD_KRB5_CANONICALIZE" #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" @@ -61,6 +62,7 @@ enum krb5_opts { KRB5_RENEW_INTERVAL, KRB5_USE_FAST, KRB5_FAST_PRINCIPAL, + KRB5_CANONICALIZE, KRB5_OPTS }; -- 1.7.6.2
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
