Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
if the PKINIT plugin is installed and pkinit_identities is set in /etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only wants to authenticate with a keytab. As a result ldap_child might try to access a Smartcard which is either not allowed at all or might cause unexpected delays. To avoid this the current patch sets pkinit_identities for LDAP child explicitly to make the PKINIT plugin fail because if installed libkrb5 will always use it. It turned out the setting pre-authentication options requires some internal flags to be set and krb5_get_init_creds_opt_alloc() must be used to initialize the options struct. Related to https://pagure.io/SSSD/sssd/issue/4126 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
- Loading branch information