Index: helpers/external_acl/kerberos_ldap_group/support_krb5.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_krb5.cc.orig +++ helpers/external_acl/kerberos_ldap_group/support_krb5.cc @@ -80,7 +80,7 @@ k5_error(const char* msg, krb5_error_cod * create Kerberos memory cache */ int -krb5_create_cache(char *domain) +krb5_create_cache(struct main_args *margs, char *domain) { krb5_keytab keytab = NULL; @@ -288,8 +288,17 @@ krb5_create_cache(char *domain) if (code) { k5_error("Error while unparsing principal name",code); } else { - debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); - found = 1; + if (margs->brokenad == 1) { + if (!strncmp(principal_name,"HTTP/",strlen("HTTP/"))==0){ + debug((char *) "%s| %s: DEBUG: Found principal without 'HTTP/' service name: %s NOT USING IT\n", LogTime(), PROGRAM, principal_name); + } else { + debug((char *) "%s| %s: DEBUG: Found principal with 'HTTP/' service name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } + } else { + debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name); + found = 1; + } } } #if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY ) Index: helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc.orig +++ helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc @@ -66,6 +66,7 @@ init_args(struct main_args *margs) margs->AD = 0; margs->mdepth = 5; margs->nokerberos = 0; + margs->brokenad = 0; margs->ddomain = NULL; margs->groups = NULL; margs->ndoms = NULL; @@ -189,7 +190,7 @@ main(int argc, char *const argv[]) init_args(&margs); - while (-1 != (opt = getopt(argc, argv, "diasng:D:N:S:u:U:t:T:p:l:b:m:h"))) { + while (-1 != (opt = getopt(argc, argv, "diasnxg:D:N:S:u:U:t:T:p:l:b:m:h"))) { switch (opt) { case 'd': debug_enabled = 1; @@ -206,6 +207,9 @@ main(int argc, char *const argv[]) case 'n': margs.nokerberos = 1; break; + case 'x': + margs.brokenad = 1; + break; case 'g': margs.glist = xstrdup(optarg); break; @@ -261,6 +265,7 @@ main(int argc, char *const argv[]) fprintf(stderr, "-l ldap url\n"); fprintf(stderr, "-b ldap bind path\n"); fprintf(stderr, "-s use SSL encryption with Kerberos authentication\n"); + fprintf(stderr, "-x force use of HTTP/ principal on ms ad 2008\n"); fprintf(stderr, "-a allow SSL without cert verification\n"); fprintf(stderr, "-m maximal depth for recursive searches\n"); fprintf(stderr, "-h help\n"); Index: helpers/external_acl/kerberos_ldap_group/support.h =================================================================== --- helpers/external_acl/kerberos_ldap_group/support.h.orig +++ helpers/external_acl/kerberos_ldap_group/support.h @@ -106,6 +106,7 @@ struct main_args { int AD; int mdepth; int nokerberos; + int brokenad; char *ddomain; struct gdstruct *groups; struct ndstruct *ndoms; @@ -181,7 +182,7 @@ struct kstruct { char* mem_ccache[MAX_DOMAINS]; int ncache; }; -int krb5_create_cache(char *domain); +int krb5_create_cache(struct main_args *margs, char *domain); void krb5_cleanup(void); #endif Index: helpers/external_acl/kerberos_ldap_group/support_ldap.cc =================================================================== --- helpers/external_acl/kerberos_ldap_group/support_ldap.cc.orig +++ helpers/external_acl/kerberos_ldap_group/support_ldap.cc @@ -902,7 +902,7 @@ get_memberof(struct main_args *margs, ch kc = 1; debug((char *) "%s| %s: DEBUG: Kerberos is disabled. Use username/password with ldap url instead\n", LogTime(), PROGRAM); } else { - kc = krb5_create_cache(domain); + kc = krb5_create_cache(margs,domain); if (kc) { error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); }