On Mon, Feb 17, 2014 at 07:50:43PM +0200, Alexander Bokovoy wrote:
On Fri, 14 Feb 2014, Pavel Březina wrote:
>IPA: default krb5_fast_principal to host/$client@$realm
>
>If krb5_fast_principal is not set in sssd.conf it was set to
>host/$client, KRB5 default realm was used which doesn't have to be the
>same as realm used for IPA, thus authentication failed when using FAST.
>From ca2a202739c232c6b70a8d392ba69b3a57b64783 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina(a)redhat.com>
>Date: Fri, 14 Feb 2014 11:45:50 +0100
>Subject: [PATCH] IPA: default krb5_fast_principal to host/$client@$realm
>
>If krb5_fast_principal is not set in sssd.conf it was set to host/$client,
>KRB5 default realm was used which doesn't have to be the same as realm
>used for IPA, thus authentication failed when using FAST.
>---
>src/providers/ipa/ipa_common.c | 8 +++++---
>1 file changed, 5 insertions(+), 3 deletions(-)
>
>diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
>index
c0b6ee2ea9841c549f561195cab3ed38ecc626b3..f84748267d65bedbadf39db3466d28502bfa0e3e 100644
>--- a/src/providers/ipa/ipa_common.c
>+++ b/src/providers/ipa/ipa_common.c
>@@ -666,13 +666,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts,
> }
>
> /* If krb5_fast_principal was not set explicitly, default to
>- * host/$client_hostname
>+ * host/$client_hostname@REALM
> */
> value = dp_opt_get_string(ipa_opts->auth, KRB5_FAST_PRINCIPAL);
> if (value == NULL) {
>- value = talloc_asprintf(ipa_opts->auth, "host/%s",
>+ value = talloc_asprintf(ipa_opts->auth, "host/%s@%s",
> dp_opt_get_string(ipa_opts->basic,
>- IPA_HOSTNAME));
>+ IPA_HOSTNAME),
>+ dp_opt_get_string(ipa_opts->auth,
>+ KRB5_REALM));
> if (value == NULL) {
> DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n",
> ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name);
ACK.
Thank you, I only did some regression testing and all went well.
Pushed to master and sssd-1-11