--- /dev/null
+--- utils/gssd/krb5_util.c 2008-10-17 14:20:09.000000000 +0000
++++ utils/gssd/krb5_util.c 2008-11-22 13:52:42.000000000 +0000
+@@ -927,9 +927,37 @@
+ {
+ krb5_error_code ret;
+ krb5_creds creds;
+- krb5_cc_cursor cur;
+ int found = 0;
+
++#ifdef HAVE_HEIMDAL
++ krb5_creds pattern;
++ krb5_realm *client_realm;
++
++ krb5_cc_clear_mcred(&pattern);
++
++ client_realm = krb5_princ_realm (context, principal);
++
++ ret = krb5_make_principal (context, &pattern.server,
++ *client_realm, KRB5_TGS_NAME, *client_realm,
++ NULL);
++ if (ret)
++ krb5_err (context, 1, ret, "krb5_make_principal");
++ pattern.client = principal;
++
++ ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
++ krb5_free_principal (context, pattern.server);
++ if (ret) {
++ if (ret == KRB5_CC_END)
++ return 1;
++ krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
++ }
++
++ found = creds.times.endtime > time(NULL);
++
++ krb5_free_cred_contents (context, &creds);
++#else
++ krb5_cc_cursor cur;
++
+ ret = krb5_cc_start_seq_get(context, ccache, &cur);
+ if (ret)
+ return 0;
+@@ -949,6 +977,7 @@
+ krb5_free_cred_contents(context, &creds);
+ }
+ krb5_cc_end_seq_get(context, ccache, &cur);
++#endif
+
+ return found;
+ }
+@@ -995,6 +1024,9 @@
+ }
+ krb5_free_principal(context, principal);
+ err_princ:
++#ifdef HAVE_HEIMDAL
++#define KRB5_TC_OPENCLOSE 0x00000001
++#endif
+ krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
+ krb5_cc_close(context, ccache);
+ err_cache:
--- /dev/null
+diff -NaurwB nfs-utils-1.1.2.orig/aclocal/kerberos5.m4 nfs-utils-1.1.2/aclocal/kerberos5.m4
+--- nfs-utils-1.1.2.orig/aclocal/kerberos5.m4 2008-03-14 16:46:29.000000000 +0100
++++ nfs-utils-1.1.2/aclocal/kerberos5.m4 2008-06-12 17:13:51.000000000 +0200
+@@ -1,112 +1,48 @@
+-dnl Checks for Kerberos
+-dnl NOTE: while we intend to do generic gss-api, currently we
+-dnl have a requirement to get an initial Kerberos machine
+-dnl credential. Thus, the requirement for Kerberos.
+-dnl The Kerberos gssapi library will be dynamically loaded?
+ AC_DEFUN([AC_KERBEROS_V5],[
++ K5CONFIG="krb5-config"
+ AC_MSG_CHECKING(for Kerberos v5)
+- AC_ARG_WITH(krb5,
+- [AC_HELP_STRING([--with-krb5=DIR], [use Kerberos v5 installation in DIR])],
++ AC_ARG_WITH(krb5-config,
++ [AC_HELP_STRING([--with-krb5-config=PATH], [Full Path to krb5-config.])],
+ [ case "$withval" in
+ yes|no)
+- krb5_with=""
++ K5CONFIG="krb5-config"
+ ;;
+ *)
+- krb5_with="$withval"
++ K5CONFIG="$withval"
+ ;;
+ esac ]
+ )
+
+- for dir in $krb5_with /usr /usr/kerberos /usr/local /usr/local/krb5 \
+- /usr/krb5 /usr/heimdal /usr/local/heimdal /usr/athena ; do
+- dnl This ugly hack brought on by the split installation of
+- dnl MIT Kerberos on Fedora Core 1
+- K5CONFIG=""
+- if test -f $dir/bin/krb5-config; then
+- K5CONFIG=$dir/bin/krb5-config
+- elif test -f "/usr/kerberos/bin/krb5-config"; then
+- K5CONFIG="/usr/kerberos/bin/krb5-config"
+- elif test -f "/usr/lib/mit/bin/krb5-config"; then
+- K5CONFIG="/usr/lib/mit/bin/krb5-config"
+- fi
+ if test "$K5CONFIG" != ""; then
+ KRBCFLAGS=`$K5CONFIG --cflags`
+ KRBLIBS=`$K5CONFIG --libs gssapi`
+- K5VERS=`$K5CONFIG --version | head -n 1 | awk '{split($(4),v,"."); if (v@<:@"3"@:>@ == "") v@<:@"3"@:>@ = "0"; print v@<:@"1"@:>@v@<:@"2"@:>@v@<:@"3"@:>@ }'`
+- AC_DEFINE_UNQUOTED(KRB5_VERSION, $K5VERS, [Define this as the Kerberos version number])
+- if test -f $dir/include/gssapi/gssapi_krb5.h -a \
+- \( -f $dir/lib/libgssapi_krb5.a -o \
+- -f $dir/lib64/libgssapi_krb5.a -o \
+- -f $dir/lib64/libgssapi_krb5.so -o \
+- -f $dir/lib/libgssapi_krb5.so \) ; then
++ if $K5CONFIG --version | grep -q -e heimdal; then
++ K5VERS=`$K5CONFIG --version | head -n 1 | cut -f2 -d ' ' | tr -d '.'`
++ AC_DEFINE(HAVE_HEIMDAL, 1, [Define this if you have Heimdal Kerberos libraries])
++ gssapi_lib=gssapi
++ KRBIMPL="heimdal"
++ elif $K5CONFIG --version | grep -q -e mit; then
++ K5VERS=`$K5CONFIG --version | head -n 1 | cut -f4 -d ' ' | tr -d '.'`
+ AC_DEFINE(HAVE_KRB5, 1, [Define this if you have MIT Kerberos libraries])
+- KRBDIR="$dir"
+- dnl If we are using MIT K5 1.3.1 and before, we *MUST* use the
+- dnl private function (gss_krb5_ccache_name) to get correct
+- dnl behavior of changing the ccache used by gssapi.
+- dnl Starting in 1.3.2, we *DO NOT* want to use
+- dnl gss_krb5_ccache_name, instead we want to set KRB5CCNAME
+- dnl to get gssapi to use a different ccache
+ if test $K5VERS -le 131; then
+ AC_DEFINE(USE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the private function, gss_krb5_cache_name, must be used to tell the Kerberos library which credentials cache to use. Otherwise, this is done by setting the KRB5CCNAME environment variable])
+ fi
+ gssapi_lib=gssapi_krb5
+- break
+- dnl The following ugly hack brought on by the split installation
+- dnl of Heimdal Kerberos on SuSe
+- elif test \( -f $dir/include/heim_err.h -o\
+- -f $dir/include/heimdal/heim_err.h \) -a \
+- -f $dir/lib/libroken.a; then
+- AC_DEFINE(HAVE_HEIMDAL, 1, [Define this if you have Heimdal Kerberos libraries])
+- KRBDIR="$dir"
+- gssapi_lib=gssapi
+- break
+- fi
+- fi
+- done
+- dnl We didn't find a usable Kerberos environment
+- if test "x$KRBDIR" = "x"; then
+- if test "x$krb5_with" = "x"; then
+- AC_MSG_ERROR(Kerberos v5 with GSS support not found: consider --disable-gss or --with-krb5=)
++ KRBIMPL="mit-krb5"
+ else
+- AC_MSG_ERROR(Kerberos v5 with GSS support not found at $krb5_with)
+- fi
++ AC_MSG_ERROR(Unknown Kerberos 5 Implementation. Is neither heimdal or mit-krb5.)
++ KRBIMPL="unknown"
+ fi
+- AC_MSG_RESULT($KRBDIR)
+-
+- dnl Check if -rpath=$(KRBDIR)/lib is needed
+- echo "The current KRBDIR is $KRBDIR"
+- if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+- -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+- KRBLDFLAGS="";
+- elif /sbin/ldconfig -p | grep > /dev/null "=> $KRBDIR/lib/"; then
+- KRBLDFLAGS="";
+- else
+- KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
++ AC_DEFINE_UNQUOTED(KRB5_VERSION, $K5VERS, [Define this as the Kerberos version number])
+ fi
++ AC_MSG_RESULT($KRBIMPL)
+
+- dnl Now check for functions within gssapi library
+- AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
+- AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
+- AC_CHECK_LIB($gssapi_lib, gss_krb5_set_allowable_enctypes,
+- AC_DEFINE(HAVE_SET_ALLOWABLE_ENCTYPES, 1, [Define this if the Kerberos GSS library supports gss_krb5_set_allowable_enctypes]), ,$KRBLIBS)
+- AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name,
+- AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
+-
+- dnl Check for newer error message facility
+- AC_CHECK_LIB($gssapi_lib, krb5_get_error_message,
+- AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE, 1, [Define this if the function krb5_get_error_message is available]), ,$KRBLIBS)
++ AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context, AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
++ AC_CHECK_LIB($gssapi_lib, gss_krb5_set_allowable_enctypes, AC_DEFINE(HAVE_SET_ALLOWABLE_ENCTYPES, 1, [Define this if the Kerberos GSS library supports gss_krb5_set_allowable_enctypes]), ,$KRBLIBS)
++ AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name, AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
++ AC_CHECK_LIB($gssapi_lib, krb5_get_error_message, AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE, 1, [Define this if the function krb5_get_error_message is available]), ,$KRBLIBS)
++ AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless, AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
+
+- dnl Check for function to specify addressless tickets
+- AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
+- AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
+-
+- dnl If they specified a directory and it didn't work, give them a warning
+- if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
+- AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!)
+- fi
+-
+- AC_SUBST([KRBDIR])
+ AC_SUBST([KRBLIBS])
+ AC_SUBST([KRBCFLAGS])
+ AC_SUBST([KRBLDFLAGS])
--- /dev/null
+Index: nfs-utils-1.1.0/utils/gssd/context_lucid.c
+===================================================================
+--- nfs-utils-1.1.0.orig/utils/gssd/context_lucid.c
++++ nfs-utils-1.1.0/utils/gssd/context_lucid.c
+@@ -48,8 +48,10 @@
+ #include "context.h"
+
+ #ifndef OM_uint64
++#ifndef GSSAPI_GSSAPI_H_
+ typedef uint64_t OM_uint64;
+ #endif
++#endif
+
+ static int
+ write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
+@@ -171,10 +173,10 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
+ int retcode = 0;
+
+ printerr(2, "DEBUG: serialize_krb5_ctx: lucid version!\n");
+- maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
++ maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx,
+ 1, &return_ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+- pgsserr("gss_export_lucid_sec_context",
++ pgsserr("gss_krb5_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
+ goto out_err;
+ }
+@@ -198,9 +200,9 @@ serialize_krb5_ctx(gss_ctx_id_t ctx, gss
+ else
+ retcode = prepare_krb5_rfc_cfx_buffer(lctx, buf);
+
+- maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
++ maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, ctx);
+ if (maj_stat != GSS_S_COMPLETE) {
+- pgsserr("gss_export_lucid_sec_context",
++ pgsserr("gss_krb5_export_lucid_sec_context",
+ maj_stat, min_stat, &krb5oid);
+ printerr(0, "WARN: failed to free lucid sec context\n");
+ }
+Index: nfs-utils-1.1.0/utils/gssd/krb5_util.c
+===================================================================
+--- nfs-utils-1.1.0.orig/utils/gssd/krb5_util.c
++++ nfs-utils-1.1.0/utils/gssd/krb5_util.c
+@@ -294,10 +294,10 @@ limit_krb5_enctypes(struct rpc_gss_sec *
+ return -1;
+ }
+
+- maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
++ maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, credh,
+ num_enctypes, &enctypes);
+ if (maj_stat != GSS_S_COMPLETE) {
+- pgsserr("gss_set_allowable_enctypes",
++ pgsserr("gss_krb5_set_allowable_enctypes",
+ maj_stat, min_stat, &krb5oid);
+ gss_release_cred(&min_stat, &credh);
+ return -1;
# - should unmount /proc/fs/nfsd and /var/lib/nfs/rpc_pipefs at package
# uninstall (or in service nfs stop)
#
+# Conditional build:
+%bcond_with heimdal # build with Heimdal Kerberos instead of MIT
+#
Summary: Kernel NFS server
Summary(pl.UTF-8): Działający na poziomie jądra serwer NFS
Summary(pt_BR.UTF-8): Os utilitários para o cliente e servidor NFS do Linux
Summary(uk.UTF-8): Утиліти для NFS та демони підтримки для NFS-сервера ядра
Name: nfs-utils
Version: 1.2.0
-Release: 1
+Release: 2
License: GPL v2
Group: Networking/Daemons
Source0: http://www.kernel.org/pub/linux/utils/nfs/%{name}-%{version}.tar.bz2
Patch2: %{name}-keytab-path.patch
Patch3: %{name}-subsys.patch
Patch4: %{name}-union-mount.patch
+Patch5: %{name}-kerberos-ac.patch
+Patch6: %{name}-no_libgssapi.patch
+Patch7: %{name}-pkgconfig_ac.patch
+Patch8: %{name}-heimdal_functions.patch
URL: http://nfs.sourceforge.net/
BuildRequires: autoconf >= 2.59
BuildRequires: automake
BuildRequires: cpp
+%if %{with heimdal}
+BuildRequires: heimdal-devel >= 1.0
+%else
BuildRequires: krb5-devel >= 1.6
+BuildRequires: libgssglue-devel >= 0.1
+%endif
BuildRequires: libblkid-devel
BuildRequires: libevent-devel >= 1.2
-BuildRequires: libgssglue-devel >= 0.1
BuildRequires: libnfsidmap-devel >= 0.21-3
BuildRequires: librpcsecgss-devel >= 0.16
BuildRequires: libtirpc-devel >= 1:0.1.10-4
%setup -q -a1
%patch0 -p1
%patch1 -p1
-%patch2 -p1
+%{!?with_heimdal:%patch2 -p1}
%patch3 -p1
%patch4 -p1
+%if %{with heimdal}
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p0
+%endif
# conflict with GNU stdio extension
sed -i -e 's/dprintf/dbgprintf/' support/include/ha-callout.h utils/statd/*.[ch]
--with-statduser=rpcstatd \
--with-start-statd=%{_sbindir}/start-statd \
--with-tcp-wrappers \
+%if %{with heimdal}
+ --with-krb5-config=%{_bindir}/krb5-config
+%else
--with-krb5=%{_prefix}
+%endif
%{__make} all
projects / packages / nfs-utils.git / commitdiff