|
 |
6cf099 |
From adbeda40c0b39918b12c4f72c97a89156c6360c2 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
Date: Wed, 2 Sep 2015 15:53:34 +0200
|
|
|
6cf099 |
Subject: [PATCH 78/87] KRB5: Offline operation with disabled domain
|
|
|
6cf099 |
MIME-Version: 1.0
|
|
|
6cf099 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6cf099 |
Content-Transfer-Encoding: 8bit
|
|
|
6cf099 |
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2637
|
|
|
6cf099 |
|
|
|
6cf099 |
If a subdomain is in the disabled state, switch krb5_child operation
|
|
|
6cf099 |
into offline mode.
|
|
|
6cf099 |
|
|
|
6cf099 |
Similarly, instead of marking the whole back end as offline, mark just
|
|
|
6cf099 |
the domain as offline -- depending on the domain type, this would mark
|
|
|
6cf099 |
the whole back end or just inactivate subdomain.
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
6cf099 |
(cherry picked from commit dd0a21738e1b71940bba11134734b5999e9fd8e9)
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/providers/krb5/krb5_auth.c | 12 +++++++++++-
|
|
|
6cf099 |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
index da8309d0504a6815902513693343a3500f454557..7ee7fa738db32abeb4709927956d1297325e2d5b 100644
|
|
|
6cf099 |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
@@ -720,7 +720,7 @@ static void krb5_auth_resolve_done(struct tevent_req *subreq)
|
|
|
6cf099 |
* was found good, setting offline,
|
|
|
6cf099 |
* but we still have to call the child to setup
|
|
|
6cf099 |
* the ccache file if we are performing auth */
|
|
|
6cf099 |
- be_mark_offline(state->be_ctx);
|
|
|
6cf099 |
+ be_mark_dom_offline(state->domain, state->be_ctx);
|
|
|
6cf099 |
kr->is_offline = true;
|
|
|
6cf099 |
|
|
|
6cf099 |
if (kr->pd->cmd == SSS_PAM_CHAUTHTOK ||
|
|
|
6cf099 |
@@ -754,9 +754,19 @@ static void krb5_auth_resolve_done(struct tevent_req *subreq)
|
|
|
6cf099 |
kr->is_offline = be_is_offline(state->be_ctx);
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+ if (!kr->is_offline
|
|
|
6cf099 |
+ && sss_domain_get_state(state->domain) == DOM_INACTIVE) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
6cf099 |
+ "Subdomain %s is inactive, will proceed offline\n",
|
|
|
6cf099 |
+ state->domain->name);
|
|
|
6cf099 |
+ kr->is_offline = true;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
if (kr->is_offline
|
|
|
6cf099 |
&& sss_krb5_realm_has_proxy(dp_opt_get_cstring(kr->krb5_ctx->opts,
|
|
|
6cf099 |
KRB5_REALM))) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
6cf099 |
+ "Resetting offline status, KDC proxy is in use\n");
|
|
|
6cf099 |
kr->is_offline = false;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|