On Fri, 14 Feb 2014, Pavel Březina wrote: >IPA: default krb5_fast_principal to host/$client@$realm > >If krb5_fast_principal is not set in sssd.conf it was set to >host/$client, KRB5 default realm was used which doesn't have to be the >same as realm used for IPA, thus authentication failed when using FAST. >From ca2a202739c232c6b70a8d392ba69b3a57b64783 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina(a)redhat.com&gt; >Date: Fri, 14 Feb 2014 11:45:50 +0100 >Subject: [PATCH] IPA: default krb5_fast_principal to host/$client@$realm > >If krb5_fast_principal is not set in sssd.conf it was set to host/$client, >KRB5 default realm was used which doesn't have to be the same as realm >used for IPA, thus authentication failed when using FAST. >--- >src/providers/ipa/ipa_common.c | 8 +++++--- >1 file changed, 5 insertions(+), 3 deletions(-) > >diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c >index c0b6ee2ea9841c549f561195cab3ed38ecc626b3..f84748267d65bedbadf39db3466d28502bfa0e3e 100644 >--- a/src/providers/ipa/ipa_common.c >+++ b/src/providers/ipa/ipa_common.c >@@ -666,13 +666,15 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, > } > > /* If krb5_fast_principal was not set explicitly, default to >- * host/$client_hostname >+ * host/$client_hostname@REALM > */ > value = dp_opt_get_string(ipa_opts->auth, KRB5_FAST_PRINCIPAL); > if (value == NULL) { >- value = talloc_asprintf(ipa_opts->auth, "host/%s", >+ value = talloc_asprintf(ipa_opts->auth, "host/%s@%s", > dp_opt_get_string(ipa_opts->basic, >- IPA_HOSTNAME)); >+ IPA_HOSTNAME), >+ dp_opt_get_string(ipa_opts->auth, >+ KRB5_REALM)); > if (value == NULL) { > DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n", > ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name); ACK.