From 5171490e533d41fa03369dfd8f6c4d826fffa70f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 28 May 2013 18:32:32 +0200 Subject: [PATCH] Set canonicalize flag if enterprise principals are used In contrast to MIT KDCs AD does not automatically canonicalize the enterprise principal in an AS request but requires the canonicalize flags to be set. To be on the safe side we always enable canonicalization if enterprise principals are used. --- src/providers/krb5/krb5_common.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index c6865c0..940cc37 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -155,7 +155,12 @@ errno_t check_and_export_options(struct dp_option *opts, } } - if (dp_opt_get_bool(opts, KRB5_CANONICALIZE)) { + /* In contrast to MIT KDCs AD does not automatically canonicalize the + * enterprise principal in an AS request but requires the canonicalize + * flags to be set. To be on the safe side we always enable + * canonicalization if enterprise principals are used. */ + if (dp_opt_get_bool(opts, KRB5_CANONICALIZE) + || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) { ret = setenv(SSSD_KRB5_CANONICALIZE, "true", 1); } else { ret = setenv(SSSD_KRB5_CANONICALIZE, "false", 1); -- 1.7.7.6