still provided.
Add a new string krb5.conf option, ad_base_instance, which, if set,
- changes the way that password synchronization is handled. When this
- option is set, the password for the principal formed by appending that
+ changes the way that password synchronization is handled. This option
+ is only available for Heimdal, not for MIT Kerberos. When this option
+ is set, the password for the principal formed by appending that
instance to a base principal is propagated to Active Directory as the
- password for the base principal. So, for instance, if this is set to
- the string "windows", the password of the principal "user/windows" is
+ password for the base principal. For example, if this is set to the
+ string "windows", the password of the principal "user/windows" is
propagated to Active Directory as the password for the principal
"user" and password changes for the principal "user" are ignored.
This special behavior only happens if "user/windows" exists in the
ad_base_instance
+ This option is only available if built with Heimdal. It will result
+ in an initialization error if set when using MIT Kerberos.
+
If ad_base_instance is set, then any password change for a
single-component principal (such as user@EXAMPLE.COM) will be
handled somewhat specially.
krb5_principal_get_realm \
krb5_principal_set_realm \
krb5_xfree])
-AC_CHECK_TYPES([krb5_realm], [],
- [AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])], [RRA_INCLUDES_KRB5])
+AC_CHECK_TYPES([krb5_realm])
+AC_CHECK_MEMBER([krb5_creds.session],
+ [AC_DEFINE([HAVE_KRB5_HEIMDAL], [1],
+ [Define if your Kerberos implementation is Heimdal.])],
+ [AC_DEFINE([HAVE_KRB5_MIT], [1],
+ [Define if your Kerberos implementation is MIT.])
+ AC_CHECK_HEADERS([krb5/kadm5_hook_plugin.h])],
+ [RRA_INCLUDES_KRB5])
AC_CHECK_FUNCS([krb5_get_init_creds_opt_free],
[RRA_FUNC_KRB5_GET_INIT_CREDS_OPT_FREE_ARGS])
AC_CHECK_FUNCS([krb5_appdefault_string], [],
/* Get allowed instances from krb5.conf. */
sync_config_list(ctx, "ad_instances", &config->ad_instances);
- /* See if we're propagating an instance to the base account in AD. */
+ /*
+ * See if we're propagating an instance to the base account in AD. This
+ * option is not supported on MIT Kerberos and results in an error there,
+ * since calling libkadm5srv functions from inside a plugin appears to
+ * result in corruption with MIT Kerberos (at least in 1.10.1).
+ */
sync_config_string(ctx, "ad_base_instance", &config->ad_base_instance);
+#if HAVE_KRB5_MIT
+ if (config->ad_base_instance != NULL) {
+ sync_close(ctx, config);
+ return sync_error_config(ctx, "ad_base_instance not supported on MIT"
+ " Kerberos");
+ }
+#endif
/* See if we're forcing queuing of all changes. */
sync_config_boolean(ctx, "ad_queue_only", &config->ad_queue_only);