Hi, when using SSSD with two different AD domains some issues were observed which where triggered by using enterprise principals (https://bugzilla.redhat.com/show_bug.cgi?id=963818). The following two patches should fix them and upstream ticket https://fedorahosted.org/sssd/ticket/1931 .
bye, Sumit
From 0869831977ff2cedfd8530c807bbf8d0e6a9f88c Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 17 Jun 2013 12:22:32 +0200 Subject: [PATCH 1/2] Use principal from the ticket to find validation entry If canonicalization or enterprise principals are enabled the realm of the client principal might have changed compared to the original request. To find the most suitable keytab entry to validate the TGT is it better to use the returned client principal. Fixes https://fedorahosted.org/sssd/ticket/1931 --- src/providers/krb5/krb5_child.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 74d730a..ac9a905 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -931,7 +931,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) } memset(&entry, 0, sizeof(entry)); - if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { + if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); realm_entry_found = true; -- 1.7.7.6
From 999fa68a8161aa859fc1161c698c3a5155fcecae Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 17 Jun 2013 12:33:05 +0200 Subject: [PATCH 2/2] Set default realm for enterprise principals Enterprise principals require that a default realm is available. To make SSSD more robust in the case that the default realm option is missing in krb5.conf or to allow SSSD to work with multiple unconnected realms (e.g. AD domains without trust between them) the default realm will be set explicitly. Fixes https://fedorahosted.org/sssd/ticket/1931 --- src/providers/krb5/krb5_child.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index ac9a905..e9fbfbe 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1943,6 +1943,18 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) } } + /* Enterprise principals require that a default realm is available. To + * make SSSD more robust in the case that the default realm option is + * missing in krb5.conf or to allow SSSD to work with multiple unconnected + * realms (e.g. AD domains without trust between them) the default realm + * will be set explicitly. */ + if (kr->use_enterprise_princ) { + kerr = krb5_set_default_realm(kr->ctx, kr->realm); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, ("krb5_set_default_realm failed.\n")); + } + } + parse_flags = kr->use_enterprise_princ ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; kerr = sss_krb5_parse_name_flags(kr->ctx, kr->upn, parse_flags, &kr->princ); if (kerr != 0) { -- 1.7.7.6
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
