Commit 2fddc909 authored by Russ Allbery's avatar Russ Allbery

Disable ad_base_instance for MIT Kerberos

Calling libkadm5srv functions from inside a kadm5_hook plugin
appears to corrupt the state of the library on MIT Kerberos.
Disable the ad_base_instance configuration option on MIT Kerberos
for the time being.
parent 718a67e0
......@@ -24,11 +24,12 @@ krb5-sync 3.0 (2013-12-09)
still provided.
Add a new string krb5.conf option, ad_base_instance, which, if set,
changes the way that password synchronization is handled. When this
option is set, the password for the principal formed by appending that
changes the way that password synchronization is handled. This option
is only available for Heimdal, not for MIT Kerberos. When this option
is set, the password for the principal formed by appending that
instance to a base principal is propagated to Active Directory as the
password for the base principal. So, for instance, if this is set to
the string "windows", the password of the principal "user/windows" is
password for the base principal. For example, if this is set to the
string "windows", the password of the principal "user/windows" is
propagated to Active Directory as the password for the principal
"user" and password changes for the principal "user" are ignored.
This special behavior only happens if "user/windows" exists in the
......
......@@ -255,6 +255,9 @@ CONFIGURATION
ad_base_instance
This option is only available if built with Heimdal. It will result
in an initialization error if set when using MIT Kerberos.
If ad_base_instance is set, then any password change for a
single-component principal (such as user@EXAMPLE.COM) will be
handled somewhat specially.
......
......@@ -38,8 +38,14 @@ AC_CHECK_FUNCS([krb5_free_default_realm \
krb5_principal_get_realm \
krb5_principal_set_realm \
krb5_xfree])
AC_CHECK_TYPES([krb5_realm], [],
[AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5])
AC_CHECK_TYPES([krb5_realm])
AC_CHECK_MEMBER([krb5_creds.session],
[AC_DEFINE([HAVE_KRB5_HEIMDAL], [1],
[Define if your Kerberos implementation is Heimdal.])],
[AC_DEFINE([HAVE_KRB5_MIT], [1],
[Define if your Kerberos implementation is MIT.])
AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])],
[RRA_INCLUDES_KRB5])
AC_CHECK_FUNCS([krb5_get_init_creds_opt_free],
[RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS])
AC_CHECK_FUNCS([krb5_appdefault_string], [],
......
......@@ -55,8 +55,20 @@ sync_init(krb5_context ctx, kadm5_hook_modinfo **result)
/* Get allowed instances from krb5.conf. */
sync_config_list(ctx, "ad_instances", &config->ad_instances);
/* See if we're propagating an instance to the base account in AD. */
/*
* See if we're propagating an instance to the base account in AD. This
* option is not supported on MIT Kerberos and results in an error there,
* since calling libkadm5srv functions from inside a plugin appears to
* result in corruption with MIT Kerberos (at least in 1.10.1).
*/
sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance);
#if HAVE_KRB5_MIT
if (config->ad_base_instance != NULL) {
sync_close(ctx, config);
return sync_error_config(ctx, "ad_base_instance not supported on MIT"
" Kerberos");
}
#endif
/* See if we're forcing queuing of all changes. */
sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment