From fa9dfd19a1751964b85aa509f09300a78cbc6424 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 5 Jun 2013 13:06:08 +0200 Subject: [PATCH 4/5] Always send the PAC to the PAC responder Currently while doing a Kerberos based authentication the PAC was only send to the PAC responder for principals from a different realm. This reflects the FreeIPA use case of users from trusted domains. This restriction does not make sense anymore when the data from the PAC should be used for the AD provider as well. It also makes only limited sense for the IPA use case, because when using GSSAPI the PAC of users from the local IPA domain are already evaluated by the PAC responder. --- src/providers/krb5/krb5_child.c | 38 ++++++++++++++++++-------------------- 1 files changed, 18 insertions(+), 20 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 4626f59..8f746a8 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -987,27 +987,25 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) goto done; } - /* Try to find and send the PAC to the PAC responder for principals which - * do not belong to our realm. Failures are not critical. */ - if (kr->upn_from_different_realm) { - kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, - kr->creds->client, keytab, &pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - goto done; - } + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, + kr->creds->client, keytab, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, ("sss_extract_and_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; + goto done; + } - kerr = sss_send_pac(pac_authdata); - krb5_free_authdata(kr->ctx, pac_authdata); - if (kerr != 0) { - DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \ - "membership for user with principal [%s] " \ - "might not be correct.\n", kr->name)); - kerr = 0; - } + kerr = sss_send_pac(pac_authdata); + krb5_free_authdata(kr->ctx, pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, ("sss_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name)); + kerr = 0; } done: -- 1.7.7.6