From 04a1802749b6ebf72730357b06bf8cabe09ebb01 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 24 May 2017 16:10:26 +0200 Subject: [PATCH 139/141] krb5: accept changed principal if krb5_canonicalize=True Currently SSSD accepts significant changes in the principal only if krb5_use_enterprise_principal=True. But canonicalization can lead to similar changes so they should be accepted in this case as well. Resolves: https://pagure.io/SSSD/sssd/issue/3408 Reviewed-by: Robbie Harwood (cherry picked from commit ca95807a9060e454ee68f6f30558d6f7ee968c39) --- src/providers/krb5/krb5_auth.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 894bd41bde031ac33187bfa3b14202e9429a9198..03ea9d88cac67919d4b9ba3a1cf2efa208662195 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -829,6 +829,7 @@ static void krb5_auth_done(struct tevent_req *subreq) char *renew_interval_str; time_t renew_interval_time = 0; bool use_enterprise_principal; + bool canonicalize; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -908,6 +909,7 @@ static void krb5_auth_done(struct tevent_req *subreq) use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_USE_ENTERPRISE_PRINCIPAL); + canonicalize = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_CANONICALIZE); /* Check if the cases of our upn are correct and update it if needed. * Fail if the upn differs by more than just the case for non-enterprise @@ -915,6 +917,7 @@ static void krb5_auth_done(struct tevent_req *subreq) if (res->correct_upn != NULL && strcmp(kr->upn, res->correct_upn) != 0) { if (strcasecmp(kr->upn, res->correct_upn) == 0 || + canonicalize == true || use_enterprise_principal == true) { talloc_free(kr->upn); kr->upn = talloc_strdup(kr, res->correct_upn); -- 2.9.4