]> git.pld-linux.org Git - packages/sssd.git/blame - sssd-heimdal.patch
projects / packages / sssd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- BR: cmocka-devel; noted pac-responder kerberos issue
[packages/sssd.git] / sssd-heimdal.patch
CommitLineData
dd3b701a
JB		 1--- sssd-1.11.4/Makefile.am.orig 2014-02-17 19:55:32.000000000 +0100
2+++ sssd-1.11.4/Makefile.am 2014-03-16 09:12:48.437424185 +0100
3@@ -1617,8 +1617,19 @@ libsss_krb5_common_la_SOURCES = \
4 src/providers/krb5/krb5_auth.c \
5 src/providers/krb5/krb5_access.c \
6 src/providers/krb5/krb5_child_handler.c \
7- src/providers/krb5/krb5_init_shared.c
8+ src/providers/krb5/krb5_init_shared.c \
9+ src/util/sss_krb5.c \
10+ src/util/find_uid.c
11+
12+libsss_krb5_common_la_LIBADD = \
13+ $(KEYUTILS_LIBS) \
14+ $(SYSTEMD_LOGIN_LIBS) \
15+ $(KRB5_LIBS) \
16+ libsss_debug.la
17+
18 libsss_krb5_common_la_LDFLAGS = \
19+ $(SYSTEMD_LOGIN_CFLAGS) \
20+ $(KRB5_CFLAGS) \
21 -avoid-version
22
23 libsss_ldap_la_SOURCES = \
24@@ -1672,15 +1683,12 @@ libsss_simple_la_LDFLAGS = \
25 -module
26
27 libsss_krb5_la_SOURCES = \
28- src/providers/krb5/krb5_init.c \
29- src/util/find_uid.c \
30- src/util/sss_krb5.c
31+ src/providers/krb5/krb5_init.c
32 libsss_krb5_la_CFLAGS = \
33 $(AM_CFLAGS) \
34 $(DHASH_CFLAGS)
35 libsss_krb5_la_LIBADD = \
36 $(DHASH_LIBS) \
37- $(KEYUTILS_LIBS) \
38 $(KRB5_LIBS) \
39 libsss_krb5_common.la
40 libsss_krb5_la_LDFLAGS = \
41@@ -1720,12 +1728,10 @@ libsss_ipa_la_SOURCES = \
42 src/providers/ad/ad_srv.c \
43 src/providers/ad/ad_domain_info.c \
44 src/util/user_info_msg.c \
45- src/util/find_uid.c \
46- src/util/sss_ldap.c \
47- src/util/sss_krb5.c
48+ src/util/sss_ldap.c
49 libsss_ipa_la_CFLAGS = \
50 $(AM_CFLAGS) \
51- $(LDAP_CFLAGS) \
52+ $(OPENLDAP_CFLAGS) \
53 $(DHASH_CFLAGS) \
54 $(NDR_NBT_CFLAGS) \
55 $(KRB5_CFLAGS)
56@@ -1733,7 +1739,6 @@ libsss_ipa_la_LIBADD = \
57 $(OPENLDAP_LIBS) \
58 $(DHASH_LIBS) \
59 $(NDR_NBT_LIBS) \
60- $(KEYUTILS_LIBS) \
61 $(KRB5_LIBS) \
62 libsss_ldap_common.la \
63 libsss_krb5_common.la \
64@@ -1772,21 +1777,20 @@ libsss_ad_la_SOURCES = \
65 src/providers/ad/ad_subdomains.h \
66 src/providers/ad/ad_domain_info.c \
67 src/providers/ad/ad_domain_info.h \
68- src/util/find_uid.c \
69 src/util/user_info_msg.c \
70- src/util/sss_krb5.c \
71 src/util/sss_ldap.c
72
73 libsss_ad_la_CFLAGS = \
74 $(AM_CFLAGS) \
75- $(LDAP_CFLAGS) \
76+ $(OPENLDAP_CFLAGS) \
77+ $(SASL_CFLAGS) \
78 $(DHASH_CFLAGS) \
79 $(KRB5_CFLAGS) \
80 $(NDR_NBT_CFLAGS)
81 libsss_ad_la_LIBADD = \
82 $(OPENLDAP_LIBS) \
83+ $(SASL_LIBS) \
84 $(DHASH_LIBS) \
85- $(KEYUTILS_LIBS) \
86 $(KRB5_LIBS) \
87 $(NDR_NBT_LIBS) \
88 libsss_ldap_common.la \
89diff --git a/configure.ac b/configure.ac
90index 9934b50..a46e26d 100644
91--- a/configure.ac
92+++ b/configure.ac
93@@ -262,7 +262,7 @@ fi
94
95 AM_CHECK_INOTIFY
96
97-AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers]))
98+PKG_CHECK_MODULES([SASL], [libsasl2], [], [AC_MSG_ERROR([Could not find SASL library])])
99
100 AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))],
101 sss_client_cv_attribute_destructor,
102diff --git a/src/external/krb5.m4 b/src/external/krb5.m4
103index 1a50bf1..54c5883 100644
104--- a/src/external/krb5.m4
105+++ b/src/external/krb5.m4
106@@ -37,8 +37,8 @@ SAVE_CFLAGS=$CFLAGS
107 SAVE_LIBS=$LIBS
108 CFLAGS="$CFLAGS $KRB5_CFLAGS"
109 LIBS="$LIBS $KRB5_LIBS"
110-AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
111-AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
112+AC_CHECK_HEADERS([krb5.h krb5/krb5.h profile.h])
113+AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info, krb5_authdatatype], [], [],
114 [ #ifdef HAVE_KRB5_KRB5_H
115 #include <krb5/krb5.h>
116 #else
117@@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
118 #endif
119 ])
120 AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
121+ krb5_unparse_name_ext \
122 krb5_free_unparsed_name \
123 krb5_get_init_creds_opt_set_expire_callback \
124 krb5_get_init_creds_opt_set_fast_ccache_name \
125@@ -59,12 +60,33 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
126 krb5_kt_free_entry \
127 krb5_princ_realm \
128 krb5_get_time_offsets \
129+ krb5_get_kdc_sec_offset \
130 krb5_principal_get_realm \
131 krb5_cc_cache_match \
132 krb5_timestamp_to_sfstring \
133 krb5_set_trace_callback \
134 krb5_find_authdata \
135- krb5_cc_get_full_name])
136+ krb5_cc_get_full_name \
137+ krb5_free_string \
138+ krb5_xfree])
139+
140+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
141+ #include <krb5/krb5.h>
142+ #else
143+ #include <krb5.h>
144+ #endif
145+ ]],
146+ [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])],
147+ [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])])
148+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
149+ #include <krb5/krb5.h>
150+ #else
151+ #include <krb5.h>
152+ #endif
153+ ]],
154+ [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])],
155+ [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])])
156+
157 CFLAGS=$SAVE_CFLAGS
158 LIBS=$SAVE_LIBS
159
160diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
161index 725687d..586c7dd 100644
162--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
163+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
164@@ -340,6 +340,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
165 switch (socktype) {
166 case SOCK_STREAM:
167 case SOCK_DGRAM:
168+ case 0: /* any */
f74665dc 169 break;
dd3b701a
JB		 170 default:
171 return KRB5_PLUGIN_NO_HANDLE;
172@@ -374,7 +375,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
173 ai->ai_family, ai->ai_socktype));
174
175 if ((family == AF_UNSPEC || ai->ai_family == family) &&
176- ai->ai_socktype == socktype) {
177+ (ai->ai_socktype == socktype || socktype == 0)) {
178
179 ret = cbfunc(cbdata, socktype, ai->ai_addr);
180 if (ret != 0) {
181diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
182index ab62d64..7b9e513 100644
183--- a/src/providers/ad/ad_common.c
184+++ b/src/providers/ad/ad_common.c
185@@ -525,7 +525,7 @@ errno_t
186 ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
187 const char *primary_servers,
188 const char *backup_servers,
189- const char *krb5_realm,
190+ const char *krb5_realm_str,
191 const char *ad_service,
192 const char *ad_gc_service,
193 const char *ad_domain,
194@@ -585,13 +585,13 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
195 service->sdap->kinit_service_name = service->krb5_service->name;
196 service->gc->kinit_service_name = service->krb5_service->name;
197
198- if (!krb5_realm) {
199+ if (!krb5_realm_str) {
200 DEBUG(SSSDBG_CRIT_FAILURE, ("No Kerberos realm set\n"));
201 ret = EINVAL;
202 goto done;
203 }
204 service->krb5_service->realm =
205- talloc_strdup(service->krb5_service, krb5_realm);
206+ talloc_strdup(service->krb5_service, krb5_realm_str);
207 if (!service->krb5_service->realm) {
208 ret = ENOMEM;
209 goto done;
210@@ -795,7 +795,7 @@ ad_set_ad_id_options(struct ad_options *ad_opts,
211 struct sdap_options *id_opts)
212 {
213 errno_t ret;
214- char *krb5_realm;
215+ char *krb5_realm_str;
216 char *keytab_path;
217
218 /* We only support Kerberos password policy with AD, so
219@@ -810,20 +810,20 @@ ad_set_ad_id_options(struct ad_options *ad_opts,
220 }
221
222 /* Set the Kerberos Realm for GSSAPI */
223- krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
224- if (!krb5_realm) {
225+ krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
226+ if (!krb5_realm_str) {
227 /* Should be impossible, this is set in ad_get_common_options() */
228 DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
229 ret = EINVAL;
230 goto done;
231 }
232
233- ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
234+ ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm_str);
235 if (ret != EOK) goto done;
236 DEBUG(SSSDBG_CONF_SETTINGS,
237 ("Option %s set to %s\n",
238 id_opts->basic[SDAP_KRB5_REALM].opt_name,
239- krb5_realm));
240+ krb5_realm_str));
241
242 keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
243 if (keytab_path) {
244@@ -983,7 +983,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
245 errno_t ret;
246 struct dp_option *krb5_options;
247 const char *ad_servers;
248- const char *krb5_realm;
249+ const char *krb5_realm_str;
250
251 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
252 if (!tmp_ctx) return ENOMEM;
253@@ -1010,8 +1010,8 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
254
255 /* Set krb5 realm */
256 /* Set the Kerberos Realm for GSSAPI */
257- krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
258- if (!krb5_realm) {
259+ krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
260+ if (!krb5_realm_str) {
261 /* Should be impossible, this is set in ad_get_common_options() */
262 DEBUG(SSSDBG_FATAL_FAILURE, ("No Kerberos realm\n"));
263 ret = EINVAL;
264@@ -1021,12 +1021,12 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
265 /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
266 * been upper-cased in ad_common_options()
267 */
268- ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
269+ ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm_str);
270 if (ret != EOK) goto done;
271 DEBUG(SSSDBG_CONF_SETTINGS,
272 ("Option %s set to %s\n",
273 krb5_options[KRB5_REALM].opt_name,
274- krb5_realm));
275+ krb5_realm_str));
276
277 /* Set flag that controls whether we want to write the
278 * kdcinfo files at all
279diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
280index 42cfbbf..073c50e 100644
281--- a/src/providers/krb5/krb5_child.c
282+++ b/src/providers/krb5/krb5_child.c
283@@ -77,7 +77,7 @@ static krb5_error_code get_changepw_options(krb5_context ctx,
284 return kerr;
285 }
286
287- sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
288+ sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0);
289 krb5_get_init_creds_opt_set_forwardable(options, 0);
290 krb5_get_init_creds_opt_set_proxiable(options, 0);
291 krb5_get_init_creds_opt_set_renew_life(options, 0);
292@@ -88,6 +88,7 @@ static krb5_error_code get_changepw_options(krb5_context ctx,
293 return 0;
294 }
295
296+#ifdef HAVE_PAC_RESPONDER
297 static errno_t sss_send_pac(krb5_authdata **pac_authdata)
298 {
299 struct sss_cli_req_data sss_data;
300@@ -107,6 +108,7 @@ static errno_t sss_send_pac(krb5_authdata **pac_authdata)
301
302 return EOK;
303 }
304+#endif /* HAVE_PAC_RESPONDER */
305
306 static void sss_krb5_expire_callback_func(krb5_context context, void *data,
307 krb5_timestamp password_expiration,
308@@ -395,7 +397,8 @@ static krb5_error_code create_empty_cred(krb5_context ctx, krb5_principal princ,
309 {
310 krb5_error_code kerr;
311 krb5_creds *cred = NULL;
312- krb5_data *krb5_realm;
313+ const char *realm_name;
314+ int realm_length;
315
316 cred = calloc(sizeof(krb5_creds), 1);
317 if (cred == NULL) {
318@@ -409,12 +412,12 @@ static krb5_error_code create_empty_cred(krb5_context ctx, krb5_principal princ,
319 goto done;
320 }
321
322- krb5_realm = krb5_princ_realm(ctx, princ);
323+ sss_krb5_princ_realm(ctx, princ, &realm_name, &realm_length);
324
325 kerr = krb5_build_principal_ext(ctx, &cred->server,
326- krb5_realm->length, krb5_realm->data,
327+ realm_length, realm_name,
328 KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
329- krb5_realm->length, krb5_realm->data, 0);
330+ realm_length, realm_name, 0);
331 if (kerr != 0) {
332 DEBUG(1, ("krb5_build_principal_ext failed.\n"));
333 goto done;
334@@ -670,7 +673,8 @@ static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)
335 goto done;
336 }
337
338- kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);
339+ kerr = sss_krb5_unparse_name_ext(kr->ctx, kr->creds->client,
340+ &upn, &upn_len);
341 if (kerr != 0) {
342 DEBUG(SSSDBG_OP_FAILURE, ("krb5_unparse_name failed.\n"));
343 goto done;
344@@ -678,7 +682,7 @@ static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)
345
346 ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
347 (uint8_t *) upn);
348- krb5_free_unparsed_name(kr->ctx, upn);
349+ sss_krb5_free_unparsed_name(kr->ctx, upn);
350 if (ret != EOK) {
351 DEBUG(1, ("pack_response_packet failed.\n"));
352 goto done;
353@@ -700,7 +704,9 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
354 krb5_principal validation_princ = NULL;
355 bool realm_entry_found = false;
356 krb5_ccache validation_ccache = NULL;
357+#ifdef HAVE_PAC_RESPONDER
358 krb5_authdata **pac_authdata = NULL;
359+#endif
360
361 memset(&keytab, 0, sizeof(keytab));
362 kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
363@@ -794,6 +800,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
364 goto done;
365 }
366
367+#ifdef HAVE_PAC_RESPONDER
368 /* Try to find and send the PAC to the PAC responder.
369 * Failures are not critical. */
370 if (kr->send_pac) {
371@@ -816,6 +823,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
372 kerr = 0;
f74665dc 373 }
dd3b701a
JB		 374 }
375+#endif /* HAVE_PAC_RESPONDER */
376
377 done:
378 if (validation_ccache != NULL) {
379@@ -836,7 +844,8 @@ done:
380
381 }
382
383-static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts)
384+static void krb5_set_canonicalize(krb5_context ctx,
385+ krb5_get_init_creds_opt *opts)
386 {
387 int canonicalize = 0;
388 char *tmp_str;
389@@ -847,7 +856,7 @@ static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts)
390 }
391 DEBUG(SSSDBG_CONF_SETTINGS, ("%s is set to [%s]\n",
392 SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set"));
393- sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
394+ sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
395 }
396
397 static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
398@@ -865,7 +874,7 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
399 krb5_get_init_creds_opt_set_address_list(&options, NULL);
400 krb5_get_init_creds_opt_set_forwardable(&options, 0);
401 krb5_get_init_creds_opt_set_proxiable(&options, 0);
402- krb5_set_canonicalize(&options);
403+ krb5_set_canonicalize(ctx, &options);
f74665dc 404
dd3b701a
JB		 405 kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
406 &options);
407@@ -1094,9 +1103,9 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
408
409 memset(&result_code_string, 0, sizeof(krb5_data));
410 memset(&result_string, 0, sizeof(krb5_data));
411- kerr = krb5_change_password(kr->ctx, kr->creds,
412- discard_const(newpassword), &result_code,
413- &result_code_string, &result_string);
414+ kerr = krb5_set_password(kr->ctx, kr->creds,
415+ discard_const(newpassword), NULL,
416+ &result_code, &result_code_string, &result_string);
417
418 if (kerr == KRB5_KDC_UNREACH) {
419 return ERR_NETWORK_IO;
420@@ -1109,7 +1118,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
421
422 if (result_code_string.length > 0) {
423 DEBUG(1, ("krb5_change_password failed [%d][%.*s].\n", result_code,
424- result_code_string.length, result_code_string.data));
425+ (int) result_code_string.length,
426+ (char *) result_code_string.data));
427 user_error_message = talloc_strndup(kr->pd, result_code_string.data,
428 result_code_string.length);
429 if (user_error_message == NULL) {
430@@ -1117,9 +1127,11 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
431 }
f74665dc 432 }
dd3b701a
JB		 433
434- if (result_string.length > 0 && result_string.data[0] != '\0') {
435+ if (result_string.length > 0 &&
436+ ((char *) result_string.data)[0] != '\0') {
437 DEBUG(1, ("krb5_change_password failed [%d][%.*s].\n", result_code,
438- result_string.length, result_string.data));
439+ (int) result_string.length,
440+ (char *) result_string.data));
441 talloc_free(user_error_message);
442 user_error_message = talloc_strndup(kr->pd, result_string.data,
443 result_string.length);
444@@ -1695,7 +1707,8 @@ static errno_t k5c_recv_data(struct krb5_req *kr, int fd, uint32_t *offline)
445 static int k5c_setup_fast(struct krb5_req *kr, char *lifetime_str, bool demand)
f74665dc 446 {
dd3b701a
JB		 447 krb5_principal fast_princ_struct;
448- krb5_data *realm_data;
449+ const char *realm_name;
450+ int realm_length;
451 char *fast_principal_realm;
452 char *fast_principal;
f74665dc 453 krb5_error_code kerr;
dd3b701a
JB		 454@@ -1726,8 +1739,11 @@ static int k5c_setup_fast(struct krb5_req *kr, char *lifetime_str, bool demand)
455 return KRB5KRB_ERR_GENERIC;
456 }
457 free(tmp_str);
458- realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct);
459- fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data);
460+ sss_krb5_princ_realm(kr->ctx, fast_princ_struct,
461+ &realm_name, &realm_length);
462+
463+ fast_principal_realm = talloc_asprintf(kr, "%.*s",
464+ realm_length, realm_name);
465 if (!fast_principal_realm) {
466 DEBUG(1, ("talloc_asprintf failed.\n"));
467 return ENOMEM;
468@@ -1889,7 +1905,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
469 }
470
471 if (!offline) {
472- krb5_set_canonicalize(kr->options);
473+ krb5_set_canonicalize(kr->ctx, kr->options);
474
475 use_fast_str = getenv(SSSD_KRB5_USE_FAST);
476 if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) {
477diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
478index c40f0dd..4ab359e 100644
479--- a/src/providers/krb5/krb5_common.c
480+++ b/src/providers/krb5/krb5_common.c
481@@ -33,7 +33,7 @@
482 #include "providers/krb5/krb5_opts.h"
483 #include "providers/krb5/krb5_utils.h"
484
485-#ifdef HAVE_KRB5_CC_COLLECTION
486+#ifdef HAVE_PROFILE_H
487 /* krb5 profile functions */
488 #include <profile.h>
489 #endif
490@@ -91,7 +91,7 @@ done:
491 return ret;
492 }
493
494-#ifdef HAVE_KRB5_CC_COLLECTION
495+#ifdef HAVE_PROFILE_H
496 /* source default_ccache_name from krb5.conf */
497 static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
498 char **ccname)
499@@ -895,7 +895,7 @@ errno_t krb5_install_offline_callback(struct be_ctx *be_ctx,
500 {
501 int ret;
502 struct remove_info_files_ctx *ctx;
503- const char *krb5_realm;
504+ const char *krb5_realm_str;
505
506 if (krb5_ctx->service == NULL || krb5_ctx->service->name == NULL) {
507 DEBUG(1, ("Missing KDC service name!\n"));
508@@ -908,14 +908,14 @@ errno_t krb5_install_offline_callback(struct be_ctx *be_ctx,
509 return ENOMEM;
510 }
511
512- krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
513- if (krb5_realm == NULL) {
514+ krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
515+ if (krb5_realm_str == NULL) {
516 DEBUG(1, ("Missing krb5_realm option!\n"));
517 ret = EINVAL;
518 goto done;
519 }
520
521- ctx->realm = talloc_strdup(ctx, krb5_realm);
522+ ctx->realm = talloc_strdup(ctx, krb5_realm_str);
523 if (ctx->realm == NULL) {
524 DEBUG(1, ("talloc_strdup failed!\n"));
525 ret = ENOMEM;
526@@ -950,19 +950,19 @@ done:
527 errno_t krb5_install_sigterm_handler(struct tevent_context *ev,
528 struct krb5_ctx *krb5_ctx)
529 {
530- const char *krb5_realm;
531+ const char *krb5_realm_str;
532 char *sig_realm;
533 struct tevent_signal *sige;
534
535 BlockSignals(false, SIGTERM);
536
537- krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
538- if (krb5_realm == NULL) {
539+ krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
540+ if (krb5_realm_str == NULL) {
541 DEBUG(1, ("Missing krb5_realm option!\n"));
542 return EINVAL;
543 }
544
545- sig_realm = talloc_strdup(krb5_ctx, krb5_realm);
546+ sig_realm = talloc_strdup(krb5_ctx, krb5_realm_str);
547 if (sig_realm == NULL) {
548 DEBUG(1, ("talloc_strdup failed!\n"));
549 return ENOMEM;
550diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c
551index 91f701a..fb7304b 100644
552--- a/src/providers/krb5/krb5_init.c
553+++ b/src/providers/krb5/krb5_init.c
554@@ -64,7 +64,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
555 const char *krb5_backup_servers;
556 const char *krb5_kpasswd_servers;
557 const char *krb5_backup_kpasswd_servers;
558- const char *krb5_realm;
559+ const char *krb5_realm_str;
560 const char *errstr;
561 int errval;
562 int errpos;
563@@ -103,15 +103,15 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
564 krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
565 krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
566
567- krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
568- if (krb5_realm == NULL) {
569+ krb5_realm_str = dp_opt_get_string(ctx->opts, KRB5_REALM);
570+ if (krb5_realm_str == NULL) {
571 DEBUG(0, ("Missing krb5_realm option!\n"));
572 return EINVAL;
573 }
574
575 ret = krb5_service_init(ctx, bectx,
576 SSS_KRB5KDC_FO_SRV, krb5_servers,
577- krb5_backup_servers, krb5_realm,
578+ krb5_backup_servers, krb5_realm_str,
579 dp_opt_get_bool(krb5_options->opts,
580 KRB5_USE_KDCINFO),
581 &ctx->service);
582@@ -137,7 +137,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx,
583 } else {
584 ret = krb5_service_init(ctx, bectx,
585 SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
586- krb5_backup_kpasswd_servers, krb5_realm,
587+ krb5_backup_kpasswd_servers, krb5_realm_str,
588 dp_opt_get_bool(krb5_options->opts,
589 KRB5_USE_KDCINFO),
590 &ctx->kpasswd_service);
591diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
592index 19c838d..16f724b 100644
593--- a/src/providers/ldap/ldap_child.c
594+++ b/src/providers/ldap/ldap_child.c
595@@ -97,7 +97,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
596
597 /* ticket lifetime */
598 SAFEALIGN_COPY_INT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
599- DEBUG(SSSDBG_TRACE_LIBS, ("lifetime: %d\n", ibuf->lifetime));
600+ DEBUG(SSSDBG_TRACE_LIBS, ("lifetime: %d\n", (int)ibuf->lifetime));
601
602 return EOK;
603 }
604@@ -310,7 +310,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
605 DEBUG(SSSDBG_CONF_SETTINGS, ("Will canonicalize principals\n"));
606 canonicalize = 1;
607 }
608- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
609+ sss_krb5_get_init_creds_opt_set_canonicalize(context,
610+ &options, canonicalize);
611
612 krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
613 keytab, 0, NULL, &options);
614@@ -343,8 +344,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
615 }
616 DEBUG(SSSDBG_TRACE_INTERNAL, ("credentials stored\n"));
617
618-#ifdef HAVE_KRB5_GET_TIME_OFFSETS
619- krberr = krb5_get_time_offsets(context, &kdc_time_offset,
620+ krberr = sss_krb5_get_time_offsets(context, &kdc_time_offset,
621 &kdc_time_offset_usec);
622 if (krberr) {
623 DEBUG(SSSDBG_OP_FAILURE, ("Failed to get KDC time offset: %s\n",
624@@ -356,10 +356,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
625 }
626 }
627 DEBUG(SSSDBG_TRACE_INTERNAL, ("Got KDC time offset\n"));
628-#else
629- /* If we don't have this function, just assume no offset */
630- kdc_time_offset = 0;
631-#endif
f74665dc 632
633 krberr = 0;
634 *ccname_out = ccname;
dd3b701a
JB		 635diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
636index b3a048c..a50a072 100644
637--- a/src/providers/ldap/ldap_common.c
638+++ b/src/providers/ldap/ldap_common.c
639@@ -1261,7 +1261,7 @@ done:
640 static const char *
641 sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
642 {
643- char *krb5_realm = NULL;
644+ char *krb5_realm_str = NULL;
645 const char *realm = NULL;
646 krb5_error_code krberr;
647 krb5_context context = NULL;
648@@ -1272,15 +1272,15 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
649 goto done;
650 }
f74665dc 651
dd3b701a
JB		 652- krberr = krb5_get_default_realm(context, &krb5_realm);
653+ krberr = krb5_get_default_realm(context, &krb5_realm_str);
654 if (krberr) {
655 DEBUG(2, ("Failed to get default realm name: %s\n",
656 sss_krb5_get_error_message(context, krberr)));
657 goto done;
658 }
659
660- realm = talloc_strdup(mem_ctx, krb5_realm);
661- krb5_free_default_realm(context, krb5_realm);
662+ realm = talloc_strdup(mem_ctx, krb5_realm_str);
663+ krb5_free_default_realm(context, krb5_realm_str);
664 if (!realm) {
665 DEBUG(0, ("Out of memory\n"));
666 goto done;
667@@ -1301,7 +1301,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
668 int ret;
669 const char *krb5_servers;
670 const char *krb5_backup_servers;
671- const char *krb5_realm;
672+ const char *krb5_realm_str;
673 const char *krb5_opt_realm;
674 struct krb5_service *service = NULL;
675 TALLOC_CTX *tmp_ctx;
676@@ -1315,15 +1315,15 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
677 krb5_opt_realm = dp_opt_get_string(opts, SDAP_KRB5_REALM);
678 if (krb5_opt_realm == NULL) {
679 DEBUG(2, ("Missing krb5_realm option, will use libkrb default\n"));
680- krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);
681- if (krb5_realm == NULL) {
682+ krb5_realm_str = sdap_gssapi_get_default_realm(tmp_ctx);
683+ if (krb5_realm_str == NULL) {
684 DEBUG(0, ("Cannot determine the Kerberos realm, aborting\n"));
685 ret = EIO;
686 goto done;
f74665dc 687 }
dd3b701a
JB		 688 } else {
689- krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm);
690- if (krb5_realm == NULL) {
691+ krb5_realm_str = talloc_strdup(tmp_ctx, krb5_opt_realm);
692+ if (krb5_realm_str == NULL) {
693 ret = ENOMEM;
694 goto done;
f74665dc 695 }
dd3b701a 696@@ -1331,7 +1331,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
f74665dc 697
dd3b701a
JB		 698 ret = krb5_service_init(mem_ctx, bectx,
699 SSS_KRB5KDC_FO_SRV, krb5_servers,
700- krb5_backup_servers, krb5_realm,
701+ krb5_backup_servers, krb5_realm_str,
702 dp_opt_get_bool(opts,
703 SDAP_KRB5_USE_KDCINFO),
704 &service);
705@@ -1340,14 +1340,14 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx,
706 goto done;
707 }
708
709- ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);
710+ ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm_str);
711 if (ret != EOK) {
712 DEBUG(0, ("Failed to install sigterm handler\n"));
713 goto done;
714 }
715
716 ret = sdap_install_offline_callback(mem_ctx, bectx,
717- krb5_realm, SSS_KRB5KDC_FO_SRV);
718+ krb5_realm_str, SSS_KRB5KDC_FO_SRV);
719 if (ret != EOK) {
720 DEBUG(0, ("Failed to install sigterm handler\n"));
721 goto done;
722diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c
723index dd4cc75..9c09e33 100644
724--- a/src/tests/dlopen-tests.c
725+++ b/src/tests/dlopen-tests.c
726@@ -80,6 +80,8 @@ struct so {
727 LIBPFX"libsss_ipa.so", NULL } },
728 { "libsss_krb5.so", { LIBPFX"libdlopen_test_providers.so",
729 LIBPFX"libsss_krb5.so", NULL } },
730+ { "libsss_krb5_common.so", { LIBPFX"libdlopen_test_providers.so",
731+ LIBPFX"libsss_krb5_common.so", NULL } },
732 { "libsss_ldap.so", { LIBPFX"libdlopen_test_providers.so",
733 LIBPFX"libsss_ldap.so", NULL } },
734 { "libsss_proxy.so", { LIBPFX"libdlopen_test_providers.so",
735diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
736index 0c6b68b..102827e 100644
737--- a/src/tests/krb5_child-test.c
738+++ b/src/tests/krb5_child-test.c
739@@ -290,17 +290,17 @@ child_done(struct tevent_req *req)
740 static void
741 printtime(krb5_timestamp ts)
742 {
743+#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
744 krb5_error_code kret;
745 char timestring[BUFSIZ];
746 char fill = '\0';
747
748-#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
749 kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill);
750 if (kret) {
751 KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret);
752 }
753 printf("%s", timestring);
754-#else
755+#elif defined(HAVE_KRB5_FORMAT_TIME)
756 printf("%s", ctime(&ts));
757 #endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */
758 }
759@@ -333,8 +333,8 @@ print_creds(krb5_context kcontext, krb5_creds *cred, const char *defname)
760 }
f74665dc 761
762 done:
dd3b701a
JB		 763- krb5_free_unparsed_name(kcontext, name);
764- krb5_free_unparsed_name(kcontext, sname);
765+ sss_krb5_free_unparsed_name(kcontext, name);
766+ sss_krb5_free_unparsed_name(kcontext, sname);
767 }
768
769 static errno_t
770@@ -381,7 +381,7 @@ print_ccache(const char *cc)
771 ret = EOK;
772 done:
773 krb5_cc_close(kcontext, cache);
774- krb5_free_unparsed_name(kcontext, defname);
775+ sss_krb5_free_unparsed_name(kcontext, defname);
776 krb5_free_principal(kcontext, princ);
777 krb5_free_context(kcontext);
778 return ret;
779diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
780index f8a7e6f..a954d10 100644
781--- a/src/util/sss_krb5.c
782+++ b/src/util/sss_krb5.c
783@@ -535,7 +535,9 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
784
785 void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
786 {
787-#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
788+#ifdef HAVE_KRB5_XFREE
789+ krb5_xfree(name);
790+#elif HAVE_KRB5_FREE_UNPARSED_NAME
791 krb5_free_unparsed_name(context, name);
792 #else
793 if (name != NULL) {
794@@ -545,6 +547,15 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
795 #endif
796 }
797
798+void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val)
799+{
800+/* TODO: ensure at least on is available in krb5.m4 */
801+#ifdef HAVE_KRB5_FREE_STRING
802+ krb5_free_string(ctx, val);
803+#elif HAVE_KRB5_XFREE
804+ (void) krb5_xfree(val);
805+#endif
806+}
807
808 krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
809 krb5_context context,
810@@ -800,15 +811,16 @@ cleanup:
811 #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
812 }
813
814-void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
815+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
816+ krb5_get_init_creds_opt *opts,
817 int canonicalize)
818 {
819- /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
820- * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
821- * arguments. We should use a better configure check in the future.
822- */
823-#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
824+#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
825+ KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2
826 krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
827+#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
828+ KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3
829+ (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
830 #else
831 DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not available!\n"));
832 #endif
833@@ -1063,10 +1075,51 @@ done:
834 KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
835 }
f74665dc 836 }
dd3b701a
JB		 837- krb5_free_string(ctx, tmp_ccname);
838+ sss_krb5_free_string(ctx, tmp_ccname);
839
840 return ret_ccname;
841 #else
842 return NULL;
843 #endif /* HAVE_KRB5_CC_COLLECTION */
844 }
845+
846+krb5_error_code KRB5_CALLCONV
847+sss_krb5_unparse_name_ext(krb5_context ctx,
848+ krb5_const_principal principal,
849+ char **name,
850+ unsigned int *len)
851+{
852+ krb5_error_code kerr;
853+
854+#ifdef HAVE_KRB5_UNPARSE_NAME_EXT
855+ kerr = krb5_unparse_name_ext(ctx, principal, name, len);
856+#else
857+ kerr = krb5_unparse_name(ctx, principal, name);
858+ if (kerr == 0 && *name)
859+ *len = strlen(*name);
860+#endif /* HAVE_KRB5_UNPARSE_NAME_EXT */
861+
862+ return kerr;
863+}
864+
865+krb5_error_code KRB5_CALLCONV
866+sss_krb5_get_time_offsets(krb5_context ctx,
867+ krb5_timestamp *seconds,
868+ int32_t *microseconds)
869+{
870+#if defined(HAVE_KRB5_GET_TIME_OFFSETS)
871+ return krb5_get_time_offsets(ctx, seconds, microseconds);
872+#elif defined(HAVE_KRB5_GET_KDC_SEC_OFFSET)
873+ int32_t _seconds;
874+ krb5_error_code ret;
875+
876+ ret = krb5_get_kdc_sec_offset(ctx, &_seconds, microseconds);
877+ *seconds = _seconds;
878+ return ret;
879+#else
880+ (void) ctx;
881+ *seconds = 0;
882+ *microseconds = 0;
883+ return 0;
884+#endif
885+}
886diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
887index db47e0a..c7b9a69 100644
888--- a/src/util/sss_krb5.h
889+++ b/src/util/sss_krb5.h
890@@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
891
892 void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
893
894+void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val);
895+
896 int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
897 krb5_context context, krb5_keytab keytab);
898
899@@ -136,7 +138,8 @@ krb5_error_code
900 sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
901 int flags, char **name);
902
903-void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
904+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
905+ krb5_get_init_creds_opt *opts,
906 int canonicalize);
907
908 enum sss_krb5_cc_type {
909@@ -167,6 +170,10 @@ typedef krb5_times sss_krb5_ticket_times;
910 /* Redirect libkrb5 tracing towards our DEBUG statements */
911 errno_t sss_child_set_krb5_tracing(krb5_context ctx);
912
913+#ifndef HAVE_KRB5_AUTHDATATYPE
914+typedef int32_t krb5_authdatatype;
915+#endif
916+
917 krb5_error_code sss_krb5_find_authdata(krb5_context context,
918 krb5_authdata *const *ticket_authdata,
919 krb5_authdata *const *ap_req_authdata,
920@@ -184,4 +191,14 @@ char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx,
921 krb5_context ctx,
922 krb5_principal principal,
923 const char *location);
924+
925+krb5_error_code KRB5_CALLCONV
926+sss_krb5_unparse_name_ext(krb5_context ctx,
927+ krb5_const_principal principal,
928+ char **name,
929+ unsigned int *len);
930+krb5_error_code KRB5_CALLCONV
931+sss_krb5_get_time_offsets(krb5_context ctx,
932+ krb5_timestamp *seconds,
933+ int32_t *microseconds);
934 #endif /* __SSS_KRB5_H__ */
bf8e7304
JB		 935#--- sssd-1.11.4/src/external/pac_responder.m4.orig 2014-02-17 19:55:32.000000000 +0100
936#+++ sssd-1.11.4/src/external/pac_responder.m4 2014-03-22 17:59:50.707675270 +0100
937#@@ -21,7 +21,8 @@
938# Kerberos\ 5\ release\ 1.9* | \
939# Kerberos\ 5\ release\ 1.10* | \
940# Kerberos\ 5\ release\ 1.11* | \
941#- Kerberos\ 5\ release\ 1.12*)
942#+ Kerberos\ 5\ release\ 1.12* | \
943#+ heimdal\ *)
944# krb5_version_ok=yes
945# AC_MSG_RESULT([yes])
946# ;;
System Security Services Daemon
This page took 0.915903 seconds and 4 git commands to generate.