Only add WBFLAG_PAM_CONTACT_TRUSTDOM when performing a krb5 auth request.
[ira/wip.git] / source3 / nsswitch / pam_winbind.c
index 81f522741046792c3a7d3f18650aa6e1f2beb35e..d2aea66bcc387415b98a316c347e3024a0b5b709 100644 (file)
@@ -1200,9 +1200,13 @@ static int winbind_auth_request(pam_handle_t * pamh,
        request.data.auth.krb5_cc_type[0] = '\0';
        request.data.auth.uid = -1;
 
-       request.flags = WBFLAG_PAM_INFO3_TEXT |
-                       WBFLAG_PAM_GET_PWD_POLICY |
-                       WBFLAG_PAM_CONTACT_TRUSTDOM;
+       request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
+
+       /* Krb5 auth always has to go against the KDC of the user's realm */
+
+       if (ctrl & WINBIND_KRB5_AUTH) {
+               request.flags |= WBFLAG_PAM_CONTACT_TRUSTDOM;
+       }
 
        if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
                struct passwd *pwd = NULL;