URL: https://github.com/SSSD/sssd/pull/415 Author: lslebodn Title: #415: Revert "IPA: Only generate kdcinfo files on clients" Action: opened
PR body: """ This reverts commit a309525cc47da726461aec1f238165c17aade2a6. Even though original patch was correct it is better to revert it becuse otherwise we hit a bug in MIT krb5 when fallback to admin_server if kpasswd_server is not set does not work. And it would take some time to propagate krb5 fix to downstream distributions. https://bugzilla.redhat.com/show_bug.cgi?id=1498347 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/415/head:pr415 git checkout pr415
From 96de28025e45f397867c9772ddfaaba831908d65 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Thu, 19 Oct 2017 15:43:25 +0200 Subject: [PATCH] Revert "IPA: Only generate kdcinfo files on clients" This reverts commit a309525cc47da726461aec1f238165c17aade2a6. Even though original patch was correct it is better to revert it becuse otherwise we hit a bug in MIT krb5 when fallback to admin_server if kpasswd_server is not set does not work. And it would take some time to propagate krb5 fix to downstream distributions. https://bugzilla.redhat.com/show_bug.cgi?id=1498347 --- src/providers/ipa/ipa_common.c | 9 +++++++++ src/providers/ipa/ipa_init.c | 18 ------------------ 2 files changed, 9 insertions(+), 18 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 9b4ad31d1..6bb1e679c 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -736,6 +736,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name, value); } + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ipa_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->auth[KRB5_USE_KDCINFO].opt_name, + ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"); + *_opts = ipa_opts->auth; ret = EOK; diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 46ff87f53..5b7c8e134 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -405,24 +405,6 @@ static errno_t ipa_init_krb5_auth_ctx(TALLOC_CTX *mem_ctx, return ret; } - /* On clients, set flag that controls whether we want to write the - * kdcinfo files at all. Never write kdcinfo files on servers as - * we always want to talk to 'self' anyway and we've had broken - * sssd configurations with _srv_ on the server which wwould point - * to other KDCs with PKINIT certs not trusted on this IDM server. - */ - if (server_mode) { - DEBUG(SSSDBG_TRACE_FUNC, - "Disabling kdcinfo files on IDM server\n"); - dp_opt_set_bool(ipa_options->auth, KRB5_USE_KDCINFO, false); - } - - ipa_options->service->krb5_service->write_kdcinfo = \ - dp_opt_get_bool(ipa_options->auth, KRB5_USE_KDCINFO); - DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", - ipa_options->auth[KRB5_USE_KDCINFO].opt_name, - ipa_options->service->krb5_service->write_kdcinfo ? "true" : "false"); - *_krb5_auth_ctx = krb5_auth_ctx; return EOK; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
