>From f839a11fe0ced617fdae84d29228393aa0bc212f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 26 Aug 2009 11:08:55 +0200
Subject: [PATCH] send SSSD_REALM and SSSD_KDCIP environment to the client

Currently the kerberos locator plugin needs these two variables to
be set to find a KDC which is configured in sssd but not in
/etc/krb5.conf.
---
 server/providers/krb5/krb5_auth.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c
index 39bc170..b1fe47a 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -74,7 +74,9 @@ static void krb5_cleanup(struct krb5_req *kr)
     if (kr->ctx != NULL)
         krb5_free_context(kr->ctx);
 
-    talloc_free(kr);
+    memset(kr, 0, sizeof(struct krb5_req));
+
+    talloc_zfree(kr);
 }
 
 static int krb5_setup(struct be_req *req, const char *user_princ_str,
@@ -98,6 +100,7 @@ static int krb5_setup(struct be_req *req, const char *user_princ_str,
 
     kr->pd = pd;
     kr->req = req;
+    kr->krb5_ctx = krb5_ctx;
 
     kerr = krb5_init_context(&kr->ctx);
     if (kerr != 0) {
@@ -484,6 +487,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
     struct krb5_req *kr = tevent_req_callback_data(req, struct krb5_req);
     struct pam_data *pd = kr->pd;
     struct be_req *be_req = kr->req;
+    struct krb5_ctx *krb5_ctx = kr->krb5_ctx;
     struct tgt_req_state *state = tevent_req_data(req, struct tgt_req_state);
     int ret;
     uint8_t *buf;
@@ -495,6 +499,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
     int32_t *msg_len;
     struct tevent_req *subreq = NULL;
     char *password = NULL;
+    char *env = NULL;
 
     pd->pam_status = PAM_SYSTEM_ERR;
     krb5_cleanup(kr);
@@ -529,7 +534,7 @@ static void krb5_pam_handler_done(struct tevent_req *req)
         goto done;
     }
 
-    ret=pam_add_response(kr->pd, *msg_type, *msg_len, &buf[p]);
+    ret=pam_add_response(pd, *msg_type, *msg_len, &buf[p]);
     if (ret != EOK) {
         DEBUG(1, ("pam_add_response failed.\n"));
         goto done;
@@ -537,6 +542,30 @@ static void krb5_pam_handler_done(struct tevent_req *req)
 
     pd->pam_status = *msg_status;
 
+    if (pd->pam_status == PAM_SUCCESS && pd->cmd == SSS_PAM_AUTHENTICATE) {
+        env = talloc_asprintf(pd, "%s=%s", SSSD_REALM, krb5_ctx->realm);
+        if (env == NULL) {
+            DEBUG(1, ("talloc_asprintf failed.\n"));
+            goto done;
+        }
+        ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+        if (ret != EOK) {
+            DEBUG(1, ("pam_add_response failed.\n"));
+            goto done;
+        }
+
+        env = talloc_asprintf(pd, "%s=%s", SSSD_KDC, krb5_ctx->kdcip);
+        if (env == NULL) {
+            DEBUG(1, ("talloc_asprintf failed.\n"));
+            goto done;
+        }
+        ret=pam_add_response(pd, PAM_ENV_ITEM, strlen(env)+1, (uint8_t *) env);
+        if (ret != EOK) {
+            DEBUG(1, ("pam_add_response failed.\n"));
+            goto done;
+        }
+    }
+
     if (pd->pam_status == PAM_SUCCESS &&
         be_req->be_ctx->domain->cache_credentials == TRUE) {
         password = talloc_size(be_req, pd->authtok_size + 1);
-- 
1.6.2.5