]>
Commit | Line | Data |
---|---|---|
ccdb83c2 JR |
1 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/external/krb5.m4 sssd-1.13.4/src/external/krb5.m4 |
2 | --- sssd-1.13.4.org/src/external/krb5.m4 2016-04-13 16:48:41.000000000 +0200 | |
3 | +++ sssd-1.13.4/src/external/krb5.m4 2021-03-03 21:59:13.332396954 +0100 | |
dd3b701a JB |
4 | @@ -37,8 +37,8 @@ SAVE_CFLAGS=$CFLAGS |
5 | SAVE_LIBS=$LIBS | |
6 | CFLAGS="$CFLAGS $KRB5_CFLAGS" | |
7 | LIBS="$LIBS $KRB5_LIBS" | |
8 | -AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) | |
9 | -AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [], | |
10 | +AC_CHECK_HEADERS([krb5.h krb5/krb5.h profile.h]) | |
11 | +AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info, krb5_authdatatype], [], [], | |
12 | [ #ifdef HAVE_KRB5_KRB5_H | |
13 | #include <krb5/krb5.h> | |
14 | #else | |
7168e7f9 | 15 | @@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_ |
dd3b701a JB |
16 | #endif |
17 | ]) | |
18 | AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \ | |
19 | + krb5_unparse_name_ext \ | |
20 | krb5_free_unparsed_name \ | |
21 | krb5_get_init_creds_opt_set_expire_callback \ | |
22 | krb5_get_init_creds_opt_set_fast_ccache_name \ | |
7168e7f9 | 23 | @@ -65,7 +66,28 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_ |
dd3b701a JB |
24 | krb5_set_trace_callback \ |
25 | krb5_find_authdata \ | |
7168e7f9 JB |
26 | krb5_kt_have_content \ |
27 | + krb5_get_kdc_sec_offset \ | |
dd3b701a | 28 | + krb5_free_string \ |
7168e7f9 JB |
29 | + krb5_xfree \ |
30 | krb5_cc_get_full_name]) | |
dd3b701a JB |
31 | + |
32 | +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H | |
33 | + #include <krb5/krb5.h> | |
34 | + #else | |
35 | + #include <krb5.h> | |
36 | + #endif | |
37 | + ]], | |
38 | + [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])], | |
39 | + [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])]) | |
40 | +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H | |
41 | + #include <krb5/krb5.h> | |
42 | + #else | |
43 | + #include <krb5.h> | |
44 | + #endif | |
45 | + ]], | |
46 | + [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])], | |
47 | + [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])]) | |
48 | + | |
49 | CFLAGS=$SAVE_CFLAGS | |
50 | LIBS=$SAVE_LIBS | |
7168e7f9 | 51 | CFLAGS="$CFLAGS $KRB5_CFLAGS" |
ccdb83c2 JR |
52 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/krb5_plugin/sssd_krb5_locator_plugin.c sssd-1.13.4/src/krb5_plugin/sssd_krb5_locator_plugin.c |
53 | --- sssd-1.13.4.org/src/krb5_plugin/sssd_krb5_locator_plugin.c 2016-04-13 16:48:41.000000000 +0200 | |
54 | +++ sssd-1.13.4/src/krb5_plugin/sssd_krb5_locator_plugin.c 2021-03-03 21:59:13.332396954 +0100 | |
55 | @@ -339,6 +339,7 @@ krb5_error_code sssd_krb5_locator_lookup | |
dd3b701a JB |
56 | switch (socktype) { |
57 | case SOCK_STREAM: | |
58 | case SOCK_DGRAM: | |
59 | + case 0: /* any */ | |
f74665dc | 60 | break; |
dd3b701a JB |
61 | default: |
62 | return KRB5_PLUGIN_NO_HANDLE; | |
ccdb83c2 | 63 | @@ -373,7 +374,7 @@ krb5_error_code sssd_krb5_locator_lookup |
dd3b701a JB |
64 | ai->ai_family, ai->ai_socktype)); |
65 | ||
66 | if ((family == AF_UNSPEC || ai->ai_family == family) && | |
67 | - ai->ai_socktype == socktype) { | |
68 | + (ai->ai_socktype == socktype || socktype == 0)) { | |
69 | ||
70 | ret = cbfunc(cbdata, socktype, ai->ai_addr); | |
71 | if (ret != 0) { | |
ccdb83c2 JR |
72 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/ad/ad_common.c sssd-1.13.4/src/providers/ad/ad_common.c |
73 | --- sssd-1.13.4.org/src/providers/ad/ad_common.c 2016-04-13 16:48:41.000000000 +0200 | |
74 | +++ sssd-1.13.4/src/providers/ad/ad_common.c 2021-03-03 21:59:13.332396954 +0100 | |
75 | @@ -644,7 +644,7 @@ errno_t | |
dd3b701a JB |
76 | ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, |
77 | const char *primary_servers, | |
78 | const char *backup_servers, | |
79 | - const char *krb5_realm, | |
80 | + const char *krb5_realm_str, | |
81 | const char *ad_service, | |
82 | const char *ad_gc_service, | |
83 | const char *ad_domain, | |
ccdb83c2 | 84 | @@ -704,13 +704,13 @@ ad_failover_init(TALLOC_CTX *mem_ctx, st |
dd3b701a JB |
85 | service->sdap->kinit_service_name = service->krb5_service->name; |
86 | service->gc->kinit_service_name = service->krb5_service->name; | |
87 | ||
88 | - if (!krb5_realm) { | |
89 | + if (!krb5_realm_str) { | |
38af2cc5 | 90 | DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n"); |
dd3b701a JB |
91 | ret = EINVAL; |
92 | goto done; | |
93 | } | |
94 | service->krb5_service->realm = | |
95 | - talloc_strdup(service->krb5_service, krb5_realm); | |
96 | + talloc_strdup(service->krb5_service, krb5_realm_str); | |
97 | if (!service->krb5_service->realm) { | |
98 | ret = ENOMEM; | |
99 | goto done; | |
ccdb83c2 JR |
100 | @@ -918,7 +918,7 @@ ad_set_sdap_options(struct ad_options *a |
101 | struct sdap_options *id_opts) | |
dd3b701a JB |
102 | { |
103 | errno_t ret; | |
104 | - char *krb5_realm; | |
105 | + char *krb5_realm_str; | |
106 | char *keytab_path; | |
107 | ||
108 | /* We only support Kerberos password policy with AD, so | |
ccdb83c2 | 109 | @@ -933,20 +933,20 @@ ad_set_sdap_options(struct ad_options *a |
dd3b701a JB |
110 | } |
111 | ||
112 | /* Set the Kerberos Realm for GSSAPI */ | |
113 | - krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); | |
114 | - if (!krb5_realm) { | |
115 | + krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); | |
116 | + if (!krb5_realm_str) { | |
117 | /* Should be impossible, this is set in ad_get_common_options() */ | |
38af2cc5 | 118 | DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); |
dd3b701a JB |
119 | ret = EINVAL; |
120 | goto done; | |
121 | } | |
122 | ||
123 | - ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm); | |
124 | + ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm_str); | |
125 | if (ret != EOK) goto done; | |
126 | DEBUG(SSSDBG_CONF_SETTINGS, | |
38af2cc5 | 127 | "Option %s set to %s\n", |
dd3b701a | 128 | id_opts->basic[SDAP_KRB5_REALM].opt_name, |
38af2cc5 JB |
129 | - krb5_realm); |
130 | + krb5_realm_str); | |
dd3b701a JB |
131 | |
132 | keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB); | |
133 | if (keytab_path) { | |
ccdb83c2 | 134 | @@ -1137,7 +1137,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, |
dd3b701a JB |
135 | errno_t ret; |
136 | struct dp_option *krb5_options; | |
137 | const char *ad_servers; | |
138 | - const char *krb5_realm; | |
139 | + const char *krb5_realm_str; | |
140 | ||
141 | TALLOC_CTX *tmp_ctx = talloc_new(NULL); | |
142 | if (!tmp_ctx) return ENOMEM; | |
ccdb83c2 | 143 | @@ -1164,8 +1164,8 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, |
dd3b701a JB |
144 | |
145 | /* Set krb5 realm */ | |
146 | /* Set the Kerberos Realm for GSSAPI */ | |
147 | - krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); | |
148 | - if (!krb5_realm) { | |
149 | + krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); | |
150 | + if (!krb5_realm_str) { | |
151 | /* Should be impossible, this is set in ad_get_common_options() */ | |
38af2cc5 | 152 | DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); |
dd3b701a | 153 | ret = EINVAL; |
ccdb83c2 | 154 | @@ -1175,12 +1175,12 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx, |
dd3b701a JB |
155 | /* Force the kerberos realm to match the AD_KRB5_REALM (which may have |
156 | * been upper-cased in ad_common_options() | |
157 | */ | |
158 | - ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm); | |
159 | + ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm_str); | |
160 | if (ret != EOK) goto done; | |
161 | DEBUG(SSSDBG_CONF_SETTINGS, | |
38af2cc5 | 162 | "Option %s set to %s\n", |
dd3b701a | 163 | krb5_options[KRB5_REALM].opt_name, |
38af2cc5 JB |
164 | - krb5_realm); |
165 | + krb5_realm_str); | |
dd3b701a JB |
166 | |
167 | /* Set flag that controls whether we want to write the | |
168 | * kdcinfo files at all | |
ccdb83c2 JR |
169 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/krb5/krb5_child.c sssd-1.13.4/src/providers/krb5/krb5_child.c |
170 | --- sssd-1.13.4.org/src/providers/krb5/krb5_child.c 2016-04-13 16:48:41.000000000 +0200 | |
171 | +++ sssd-1.13.4/src/providers/krb5/krb5_child.c 2021-03-03 21:59:13.332396954 +0100 | |
172 | @@ -136,7 +136,7 @@ static krb5_error_code set_lifetime_opti | |
38af2cc5 JB |
173 | return 0; |
174 | } | |
175 | ||
176 | -static void set_canonicalize_option(krb5_get_init_creds_opt *opts) | |
177 | +static void set_canonicalize_option(krb5_context ctx, krb5_get_init_creds_opt *opts) | |
178 | { | |
179 | int canonicalize = 0; | |
180 | char *tmp_str; | |
ccdb83c2 | 181 | @@ -147,23 +147,23 @@ static void set_canonicalize_option(krb5 |
dd3b701a | 182 | } |
38af2cc5 JB |
183 | DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n", |
184 | SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set"); | |
185 | - sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); | |
186 | + sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize); | |
187 | } | |
dd3b701a | 188 | |
3278078b JB |
189 | -static void set_changepw_options(krb5_get_init_creds_opt *options) |
190 | +static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options) | |
38af2cc5 | 191 | { |
dd3b701a JB |
192 | - sss_krb5_get_init_creds_opt_set_canonicalize(options, 0); |
193 | + sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0); | |
194 | krb5_get_init_creds_opt_set_forwardable(options, 0); | |
195 | krb5_get_init_creds_opt_set_proxiable(options, 0); | |
196 | krb5_get_init_creds_opt_set_renew_life(options, 0); | |
38af2cc5 JB |
197 | krb5_get_init_creds_opt_set_tkt_life(options, 5*60); |
198 | } | |
199 | ||
200 | -static void revert_changepw_options(krb5_get_init_creds_opt *options) | |
201 | +static void revert_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options) | |
202 | { | |
203 | krb5_error_code kerr; | |
204 | ||
205 | - set_canonicalize_option(options); | |
206 | + set_canonicalize_option(ctx, options); | |
207 | ||
208 | /* Currently we do not set forwardable and proxiable explicitly, the flags | |
209 | * must be removed so that libkrb5 can take the defaults from krb5.conf */ | |
ccdb83c2 | 210 | @@ -177,6 +177,7 @@ static void revert_changepw_options(krb5 |
dd3b701a JB |
211 | } |
212 | ||
38af2cc5 | 213 | |
dd3b701a JB |
214 | +#ifdef HAVE_PAC_RESPONDER |
215 | static errno_t sss_send_pac(krb5_authdata **pac_authdata) | |
216 | { | |
217 | struct sss_cli_req_data sss_data; | |
ccdb83c2 | 218 | @@ -199,6 +200,7 @@ static errno_t sss_send_pac(krb5_authdat |
dd3b701a JB |
219 | |
220 | return EOK; | |
221 | } | |
222 | +#endif /* HAVE_PAC_RESPONDER */ | |
223 | ||
224 | static void sss_krb5_expire_callback_func(krb5_context context, void *data, | |
225 | krb5_timestamp password_expiration, | |
ccdb83c2 | 226 | @@ -630,7 +632,8 @@ static krb5_error_code create_empty_cred |
dd3b701a JB |
227 | { |
228 | krb5_error_code kerr; | |
229 | krb5_creds *cred = NULL; | |
230 | - krb5_data *krb5_realm; | |
231 | + const char *realm_name; | |
232 | + int realm_length; | |
233 | ||
234 | cred = calloc(sizeof(krb5_creds), 1); | |
235 | if (cred == NULL) { | |
ccdb83c2 | 236 | @@ -644,12 +647,12 @@ static krb5_error_code create_empty_cred |
dd3b701a JB |
237 | goto done; |
238 | } | |
239 | ||
240 | - krb5_realm = krb5_princ_realm(ctx, princ); | |
241 | + sss_krb5_princ_realm(ctx, princ, &realm_name, &realm_length); | |
242 | ||
243 | kerr = krb5_build_principal_ext(ctx, &cred->server, | |
244 | - krb5_realm->length, krb5_realm->data, | |
245 | + realm_length, realm_name, | |
246 | KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, | |
247 | - krb5_realm->length, krb5_realm->data, 0); | |
248 | + realm_length, realm_name, 0); | |
249 | if (kerr != 0) { | |
38af2cc5 | 250 | DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n"); |
dd3b701a | 251 | goto done; |
ccdb83c2 | 252 | @@ -987,7 +990,8 @@ static errno_t add_ticket_times_and_upn_ |
dd3b701a JB |
253 | goto done; |
254 | } | |
255 | ||
256 | - kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len); | |
257 | + kerr = sss_krb5_unparse_name_ext(kr->ctx, kr->creds->client, | |
258 | + &upn, &upn_len); | |
259 | if (kerr != 0) { | |
38af2cc5 | 260 | DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n"); |
dd3b701a | 261 | goto done; |
ccdb83c2 | 262 | @@ -995,7 +999,7 @@ static errno_t add_ticket_times_and_upn_ |
dd3b701a JB |
263 | |
264 | ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len, | |
265 | (uint8_t *) upn); | |
266 | - krb5_free_unparsed_name(kr->ctx, upn); | |
267 | + sss_krb5_free_unparsed_name(kr->ctx, upn); | |
268 | if (ret != EOK) { | |
38af2cc5 | 269 | DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n"); |
dd3b701a | 270 | goto done; |
ccdb83c2 | 271 | @@ -1017,7 +1021,9 @@ static krb5_error_code validate_tgt(stru |
dd3b701a JB |
272 | krb5_principal validation_princ = NULL; |
273 | bool realm_entry_found = false; | |
274 | krb5_ccache validation_ccache = NULL; | |
275 | +#ifdef HAVE_PAC_RESPONDER | |
276 | krb5_authdata **pac_authdata = NULL; | |
277 | +#endif | |
278 | ||
279 | memset(&keytab, 0, sizeof(keytab)); | |
280 | kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); | |
ccdb83c2 | 281 | @@ -1111,6 +1117,7 @@ static krb5_error_code validate_tgt(stru |
dd3b701a JB |
282 | goto done; |
283 | } | |
284 | ||
285 | +#ifdef HAVE_PAC_RESPONDER | |
286 | /* Try to find and send the PAC to the PAC responder. | |
287 | * Failures are not critical. */ | |
288 | if (kr->send_pac) { | |
ccdb83c2 | 289 | @@ -1133,6 +1140,7 @@ static krb5_error_code validate_tgt(stru |
dd3b701a | 290 | kerr = 0; |
f74665dc | 291 | } |
dd3b701a JB |
292 | } |
293 | +#endif /* HAVE_PAC_RESPONDER */ | |
294 | ||
295 | done: | |
296 | if (validation_ccache != NULL) { | |
ccdb83c2 | 297 | @@ -1168,7 +1176,7 @@ static krb5_error_code get_and_save_tgt_ |
dd3b701a JB |
298 | krb5_get_init_creds_opt_set_address_list(&options, NULL); |
299 | krb5_get_init_creds_opt_set_forwardable(&options, 0); | |
300 | krb5_get_init_creds_opt_set_proxiable(&options, 0); | |
38af2cc5 JB |
301 | - set_canonicalize_option(&options); |
302 | + set_canonicalize_option(ctx, &options); | |
f74665dc | 303 | |
dd3b701a JB |
304 | kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, |
305 | &options); | |
ccdb83c2 | 306 | @@ -1382,7 +1390,7 @@ static errno_t changepw_child(struct krb |
3278078b JB |
307 | prompter = sss_krb5_prompter; |
308 | } | |
309 | ||
310 | - set_changepw_options(kr->options); | |
311 | + set_changepw_options(kr->ctx, kr->options); | |
312 | sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length); | |
7168e7f9 JB |
313 | if (realm_length == 0) { |
314 | DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n"); | |
ccdb83c2 | 315 | @@ -1434,9 +1442,9 @@ static errno_t changepw_child(struct krb |
dd3b701a JB |
316 | |
317 | memset(&result_code_string, 0, sizeof(krb5_data)); | |
318 | memset(&result_string, 0, sizeof(krb5_data)); | |
319 | - kerr = krb5_change_password(kr->ctx, kr->creds, | |
320 | - discard_const(newpassword), &result_code, | |
321 | - &result_code_string, &result_string); | |
322 | + kerr = krb5_set_password(kr->ctx, kr->creds, | |
323 | + discard_const(newpassword), NULL, | |
324 | + &result_code, &result_code_string, &result_string); | |
325 | ||
326 | if (kerr == KRB5_KDC_UNREACH) { | |
327 | return ERR_NETWORK_IO; | |
ccdb83c2 | 328 | @@ -1450,7 +1458,7 @@ static errno_t changepw_child(struct krb |
dd3b701a | 329 | if (result_code_string.length > 0) { |
38af2cc5 JB |
330 | DEBUG(SSSDBG_CRIT_FAILURE, |
331 | "krb5_change_password failed [%d][%.*s].\n", result_code, | |
332 | - result_code_string.length, result_code_string.data); | |
333 | + (int) result_code_string.length, (char *) result_code_string.data); | |
dd3b701a JB |
334 | user_error_message = talloc_strndup(kr->pd, result_code_string.data, |
335 | result_code_string.length); | |
336 | if (user_error_message == NULL) { | |
ccdb83c2 | 337 | @@ -1458,10 +1466,10 @@ static errno_t changepw_child(struct krb |
dd3b701a | 338 | } |
f74665dc | 339 | } |
dd3b701a JB |
340 | |
341 | - if (result_string.length > 0 && result_string.data[0] != '\0') { | |
38af2cc5 JB |
342 | + if (result_string.length > 0 && ((char *) result_string.data)[0] != '\0') { |
343 | DEBUG(SSSDBG_CRIT_FAILURE, | |
344 | "krb5_change_password failed [%d][%.*s].\n", result_code, | |
345 | - result_string.length, result_string.data); | |
346 | + (int) result_string.length, (char *) result_string.data); | |
dd3b701a JB |
347 | talloc_free(user_error_message); |
348 | user_error_message = talloc_strndup(kr->pd, result_string.data, | |
349 | result_string.length); | |
ccdb83c2 | 350 | @@ -1512,7 +1520,7 @@ static errno_t changepw_child(struct krb |
38af2cc5 JB |
351 | |
352 | /* We changed some of the gic options for the password change, now we have | |
353 | * to change them back to get a fresh TGT. */ | |
354 | - revert_changepw_options(kr->options); | |
355 | + revert_changepw_options(kr->ctx, kr->options); | |
356 | ||
357 | kerr = get_and_save_tgt(kr, newpassword); | |
358 | ||
ccdb83c2 | 359 | @@ -1583,7 +1591,7 @@ static errno_t tgt_req_child(struct krb5 |
3278078b JB |
360 | "Failed to unset expire callback, continue ...\n"); |
361 | } | |
362 | ||
363 | - set_changepw_options(kr->options); | |
364 | + set_changepw_options(kr->ctx, kr->options); | |
365 | kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, | |
366 | discard_const(password), | |
367 | sss_krb5_prompter, kr, 0, | |
ccdb83c2 | 368 | @@ -2166,7 +2174,8 @@ static errno_t k5c_recv_data(struct krb5 |
38af2cc5 | 369 | static int k5c_setup_fast(struct krb5_req *kr, bool demand) |
f74665dc | 370 | { |
dd3b701a JB |
371 | krb5_principal fast_princ_struct; |
372 | - krb5_data *realm_data; | |
373 | + const char *realm_name; | |
374 | + int realm_length; | |
375 | char *fast_principal_realm; | |
376 | char *fast_principal; | |
f74665dc | 377 | krb5_error_code kerr; |
ccdb83c2 | 378 | @@ -2195,8 +2204,11 @@ static int k5c_setup_fast(struct krb5_re |
dd3b701a JB |
379 | return KRB5KRB_ERR_GENERIC; |
380 | } | |
381 | free(tmp_str); | |
382 | - realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct); | |
383 | - fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data); | |
384 | + sss_krb5_princ_realm(kr->ctx, fast_princ_struct, | |
385 | + &realm_name, &realm_length); | |
386 | + | |
387 | + fast_principal_realm = talloc_asprintf(kr, "%.*s", | |
388 | + realm_length, realm_name); | |
389 | if (!fast_principal_realm) { | |
38af2cc5 | 390 | DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); |
dd3b701a | 391 | return ENOMEM; |
ccdb83c2 | 392 | @@ -2482,7 +2494,7 @@ static int k5c_setup(struct krb5_req *kr |
dd3b701a JB |
393 | } |
394 | ||
395 | if (!offline) { | |
38af2cc5 JB |
396 | - set_canonicalize_option(kr->options); |
397 | + set_canonicalize_option(kr->ctx, kr->options); | |
7168e7f9 | 398 | } |
dd3b701a | 399 | |
7168e7f9 | 400 | /* TODO: set options, e.g. |
ccdb83c2 JR |
401 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/krb5/krb5_common.c sssd-1.13.4/src/providers/krb5/krb5_common.c |
402 | --- sssd-1.13.4.org/src/providers/krb5/krb5_common.c 2016-04-13 16:48:41.000000000 +0200 | |
403 | +++ sssd-1.13.4/src/providers/krb5/krb5_common.c 2021-03-03 21:59:13.332396954 +0100 | |
dd3b701a JB |
404 | @@ -33,7 +33,7 @@ |
405 | #include "providers/krb5/krb5_opts.h" | |
406 | #include "providers/krb5/krb5_utils.h" | |
407 | ||
408 | -#ifdef HAVE_KRB5_CC_COLLECTION | |
409 | +#ifdef HAVE_PROFILE_H | |
410 | /* krb5 profile functions */ | |
411 | #include <profile.h> | |
412 | #endif | |
413 | @@ -91,7 +91,7 @@ done: | |
414 | return ret; | |
415 | } | |
416 | ||
417 | -#ifdef HAVE_KRB5_CC_COLLECTION | |
418 | +#ifdef HAVE_PROFILE_H | |
419 | /* source default_ccache_name from krb5.conf */ | |
420 | static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx, | |
421 | char **ccname) | |
ccdb83c2 | 422 | @@ -921,7 +921,7 @@ errno_t krb5_install_offline_callback(st |
dd3b701a JB |
423 | { |
424 | int ret; | |
425 | struct remove_info_files_ctx *ctx; | |
426 | - const char *krb5_realm; | |
427 | + const char *krb5_realm_str; | |
428 | ||
429 | if (krb5_ctx->service == NULL || krb5_ctx->service->name == NULL) { | |
38af2cc5 | 430 | DEBUG(SSSDBG_CRIT_FAILURE, "Missing KDC service name!\n"); |
ccdb83c2 | 431 | @@ -934,14 +934,14 @@ errno_t krb5_install_offline_callback(st |
dd3b701a JB |
432 | return ENOMEM; |
433 | } | |
434 | ||
435 | - krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); | |
436 | - if (krb5_realm == NULL) { | |
437 | + krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); | |
438 | + if (krb5_realm_str == NULL) { | |
38af2cc5 | 439 | DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n"); |
dd3b701a JB |
440 | ret = EINVAL; |
441 | goto done; | |
442 | } | |
443 | ||
444 | - ctx->realm = talloc_strdup(ctx, krb5_realm); | |
445 | + ctx->realm = talloc_strdup(ctx, krb5_realm_str); | |
446 | if (ctx->realm == NULL) { | |
38af2cc5 | 447 | DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); |
dd3b701a | 448 | ret = ENOMEM; |
ccdb83c2 | 449 | @@ -976,19 +976,19 @@ done: |
dd3b701a JB |
450 | errno_t krb5_install_sigterm_handler(struct tevent_context *ev, |
451 | struct krb5_ctx *krb5_ctx) | |
452 | { | |
453 | - const char *krb5_realm; | |
454 | + const char *krb5_realm_str; | |
455 | char *sig_realm; | |
456 | struct tevent_signal *sige; | |
457 | ||
458 | BlockSignals(false, SIGTERM); | |
459 | ||
460 | - krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); | |
461 | - if (krb5_realm == NULL) { | |
462 | + krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); | |
463 | + if (krb5_realm_str == NULL) { | |
38af2cc5 | 464 | DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n"); |
dd3b701a JB |
465 | return EINVAL; |
466 | } | |
467 | ||
468 | - sig_realm = talloc_strdup(krb5_ctx, krb5_realm); | |
469 | + sig_realm = talloc_strdup(krb5_ctx, krb5_realm_str); | |
470 | if (sig_realm == NULL) { | |
38af2cc5 | 471 | DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); |
dd3b701a | 472 | return ENOMEM; |
ccdb83c2 JR |
473 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/krb5/krb5_init.c sssd-1.13.4/src/providers/krb5/krb5_init.c |
474 | --- sssd-1.13.4.org/src/providers/krb5/krb5_init.c 2016-04-13 16:48:41.000000000 +0200 | |
475 | +++ sssd-1.13.4/src/providers/krb5/krb5_init.c 2021-03-03 21:59:13.332396954 +0100 | |
38af2cc5 | 476 | @@ -64,7 +64,7 @@ int sssm_krb5_auth_init(struct be_ctx *b |
dd3b701a JB |
477 | const char *krb5_backup_servers; |
478 | const char *krb5_kpasswd_servers; | |
479 | const char *krb5_backup_kpasswd_servers; | |
480 | - const char *krb5_realm; | |
481 | + const char *krb5_realm_str; | |
482 | const char *errstr; | |
483 | int errval; | |
484 | int errpos; | |
38af2cc5 | 485 | @@ -103,15 +103,15 @@ int sssm_krb5_auth_init(struct be_ctx *b |
dd3b701a JB |
486 | krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); |
487 | krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC); | |
488 | ||
489 | - krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM); | |
490 | - if (krb5_realm == NULL) { | |
491 | + krb5_realm_str = dp_opt_get_string(ctx->opts, KRB5_REALM); | |
492 | + if (krb5_realm_str == NULL) { | |
38af2cc5 | 493 | DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n"); |
dd3b701a JB |
494 | return EINVAL; |
495 | } | |
496 | ||
497 | ret = krb5_service_init(ctx, bectx, | |
498 | SSS_KRB5KDC_FO_SRV, krb5_servers, | |
499 | - krb5_backup_servers, krb5_realm, | |
500 | + krb5_backup_servers, krb5_realm_str, | |
501 | dp_opt_get_bool(krb5_options->opts, | |
502 | KRB5_USE_KDCINFO), | |
503 | &ctx->service); | |
38af2cc5 | 504 | @@ -138,7 +138,7 @@ int sssm_krb5_auth_init(struct be_ctx *b |
dd3b701a JB |
505 | } else { |
506 | ret = krb5_service_init(ctx, bectx, | |
507 | SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers, | |
508 | - krb5_backup_kpasswd_servers, krb5_realm, | |
509 | + krb5_backup_kpasswd_servers, krb5_realm_str, | |
510 | dp_opt_get_bool(krb5_options->opts, | |
511 | KRB5_USE_KDCINFO), | |
512 | &ctx->kpasswd_service); | |
ccdb83c2 JR |
513 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/krb5/krb5_keytab.c sssd-1.13.4/src/providers/krb5/krb5_keytab.c |
514 | --- sssd-1.13.4.org/src/providers/krb5/krb5_keytab.c 2016-04-13 16:48:41.000000000 +0200 | |
515 | +++ sssd-1.13.4/src/providers/krb5/krb5_keytab.c 2021-03-03 21:59:13.332396954 +0100 | |
516 | @@ -85,6 +85,10 @@ static krb5_error_code do_keytab_copy(kr | |
517 | return 0; | |
518 | } | |
519 | ||
520 | +#ifndef MAX_KEYTAB_NAME_LEN | |
521 | +#define MAX_KEYTAB_NAME_LEN 1100 | |
522 | +#endif | |
523 | + | |
524 | krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, | |
525 | const char *inp_keytab_file, | |
526 | char **_mem_name, | |
527 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/ldap/ldap_child.c sssd-1.13.4/src/providers/ldap/ldap_child.c | |
528 | --- sssd-1.13.4.org/src/providers/ldap/ldap_child.c 2016-04-13 16:48:41.000000000 +0200 | |
529 | +++ sssd-1.13.4/src/providers/ldap/ldap_child.c 2021-03-03 21:59:13.332396954 +0100 | |
7168e7f9 | 530 | @@ -99,7 +99,7 @@ static errno_t unpack_buffer(uint8_t *bu |
dd3b701a JB |
531 | |
532 | /* ticket lifetime */ | |
7168e7f9 JB |
533 | SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p); |
534 | - DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime); | |
535 | + DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %ld\n", (long)(ibuf->lifetime)); | |
dd3b701a | 536 | |
7168e7f9 JB |
537 | /* UID and GID to run as */ |
538 | SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p); | |
ccdb83c2 | 539 | @@ -384,7 +384,8 @@ static krb5_error_code ldap_child_get_tg |
38af2cc5 | 540 | DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); |
dd3b701a JB |
541 | canonicalize = 1; |
542 | } | |
543 | - sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); | |
544 | + sss_krb5_get_init_creds_opt_set_canonicalize(context, | |
545 | + &options, canonicalize); | |
546 | ||
7168e7f9 JB |
547 | ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", |
548 | DB_PATH, realm_name); | |
ccdb83c2 | 549 | @@ -463,8 +464,7 @@ static krb5_error_code ldap_child_get_tg |
dd3b701a | 550 | } |
38af2cc5 | 551 | DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n"); |
dd3b701a JB |
552 | |
553 | -#ifdef HAVE_KRB5_GET_TIME_OFFSETS | |
554 | - krberr = krb5_get_time_offsets(context, &kdc_time_offset, | |
555 | + krberr = sss_krb5_get_time_offsets(context, &kdc_time_offset, | |
556 | &kdc_time_offset_usec); | |
557 | if (krberr) { | |
38af2cc5 | 558 | DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n", |
ccdb83c2 | 559 | @@ -476,10 +476,6 @@ static krb5_error_code ldap_child_get_tg |
dd3b701a JB |
560 | } |
561 | } | |
38af2cc5 | 562 | DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n"); |
dd3b701a JB |
563 | -#else |
564 | - /* If we don't have this function, just assume no offset */ | |
565 | - kdc_time_offset = 0; | |
566 | -#endif | |
f74665dc | 567 | |
7168e7f9 JB |
568 | DEBUG(SSSDBG_TRACE_INTERNAL, |
569 | "Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file); | |
ccdb83c2 JR |
570 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/providers/ldap/ldap_common.c sssd-1.13.4/src/providers/ldap/ldap_common.c |
571 | --- sssd-1.13.4.org/src/providers/ldap/ldap_common.c 2016-04-13 16:48:41.000000000 +0200 | |
572 | +++ sssd-1.13.4/src/providers/ldap/ldap_common.c 2021-03-03 21:59:13.332396954 +0100 | |
573 | @@ -363,7 +363,7 @@ done: | |
dd3b701a JB |
574 | static const char * |
575 | sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx) | |
576 | { | |
577 | - char *krb5_realm = NULL; | |
578 | + char *krb5_realm_str = NULL; | |
579 | const char *realm = NULL; | |
580 | krb5_error_code krberr; | |
581 | krb5_context context = NULL; | |
ccdb83c2 | 582 | @@ -374,15 +374,15 @@ sdap_gssapi_get_default_realm(TALLOC_CTX |
dd3b701a JB |
583 | goto done; |
584 | } | |
f74665dc | 585 | |
dd3b701a JB |
586 | - krberr = krb5_get_default_realm(context, &krb5_realm); |
587 | + krberr = krb5_get_default_realm(context, &krb5_realm_str); | |
588 | if (krberr) { | |
38af2cc5 JB |
589 | DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n", |
590 | sss_krb5_get_error_message(context, krberr)); | |
dd3b701a JB |
591 | goto done; |
592 | } | |
593 | ||
594 | - realm = talloc_strdup(mem_ctx, krb5_realm); | |
595 | - krb5_free_default_realm(context, krb5_realm); | |
596 | + realm = talloc_strdup(mem_ctx, krb5_realm_str); | |
597 | + krb5_free_default_realm(context, krb5_realm_str); | |
598 | if (!realm) { | |
38af2cc5 | 599 | DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n"); |
dd3b701a | 600 | goto done; |
ccdb83c2 | 601 | @@ -415,7 +415,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx |
dd3b701a JB |
602 | int ret; |
603 | const char *krb5_servers; | |
604 | const char *krb5_backup_servers; | |
605 | - const char *krb5_realm; | |
606 | + const char *krb5_realm_str; | |
607 | const char *krb5_opt_realm; | |
608 | struct krb5_service *service = NULL; | |
609 | TALLOC_CTX *tmp_ctx; | |
ccdb83c2 | 610 | @@ -430,16 +430,16 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx |
dd3b701a | 611 | if (krb5_opt_realm == NULL) { |
38af2cc5 JB |
612 | DEBUG(SSSDBG_OP_FAILURE, |
613 | "Missing krb5_realm option, will use libkrb default\n"); | |
dd3b701a JB |
614 | - krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx); |
615 | - if (krb5_realm == NULL) { | |
616 | + krb5_realm_str = sdap_gssapi_get_default_realm(tmp_ctx); | |
617 | + if (krb5_realm_str == NULL) { | |
38af2cc5 JB |
618 | DEBUG(SSSDBG_FATAL_FAILURE, |
619 | "Cannot determine the Kerberos realm, aborting\n"); | |
dd3b701a JB |
620 | ret = EIO; |
621 | goto done; | |
f74665dc | 622 | } |
dd3b701a JB |
623 | } else { |
624 | - krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm); | |
625 | - if (krb5_realm == NULL) { | |
626 | + krb5_realm_str = talloc_strdup(tmp_ctx, krb5_opt_realm); | |
627 | + if (krb5_realm_str == NULL) { | |
628 | ret = ENOMEM; | |
629 | goto done; | |
f74665dc | 630 | } |
ccdb83c2 | 631 | @@ -447,7 +447,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx |
f74665dc | 632 | |
dd3b701a JB |
633 | ret = krb5_service_init(mem_ctx, bectx, |
634 | SSS_KRB5KDC_FO_SRV, krb5_servers, | |
635 | - krb5_backup_servers, krb5_realm, | |
636 | + krb5_backup_servers, krb5_realm_str, | |
637 | dp_opt_get_bool(opts, | |
638 | SDAP_KRB5_USE_KDCINFO), | |
639 | &service); | |
ccdb83c2 | 640 | @@ -456,14 +456,14 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx |
dd3b701a JB |
641 | goto done; |
642 | } | |
643 | ||
644 | - ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm); | |
645 | + ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm_str); | |
646 | if (ret != EOK) { | |
38af2cc5 | 647 | DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n"); |
dd3b701a JB |
648 | goto done; |
649 | } | |
650 | ||
651 | ret = sdap_install_offline_callback(mem_ctx, bectx, | |
652 | - krb5_realm, SSS_KRB5KDC_FO_SRV); | |
653 | + krb5_realm_str, SSS_KRB5KDC_FO_SRV); | |
654 | if (ret != EOK) { | |
38af2cc5 | 655 | DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n"); |
dd3b701a | 656 | goto done; |
ccdb83c2 JR |
657 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/tests/krb5_child-test.c sssd-1.13.4/src/tests/krb5_child-test.c |
658 | --- sssd-1.13.4.org/src/tests/krb5_child-test.c 2016-04-13 16:48:41.000000000 +0200 | |
659 | +++ sssd-1.13.4/src/tests/krb5_child-test.c 2021-03-03 21:59:13.332396954 +0100 | |
660 | @@ -283,17 +283,17 @@ child_done(struct tevent_req *req) | |
dd3b701a JB |
661 | static void |
662 | printtime(krb5_timestamp ts) | |
663 | { | |
664 | +#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING | |
665 | krb5_error_code kret; | |
666 | char timestring[BUFSIZ]; | |
667 | char fill = '\0'; | |
668 | ||
669 | -#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING | |
670 | kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill); | |
671 | if (kret) { | |
672 | KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret); | |
673 | } | |
674 | printf("%s", timestring); | |
675 | -#else | |
676 | +#elif defined(HAVE_KRB5_FORMAT_TIME) | |
677 | printf("%s", ctime(&ts)); | |
678 | #endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */ | |
679 | } | |
ccdb83c2 | 680 | @@ -326,8 +326,8 @@ print_creds(krb5_context kcontext, krb5_ |
dd3b701a | 681 | } |
f74665dc | 682 | |
683 | done: | |
dd3b701a JB |
684 | - krb5_free_unparsed_name(kcontext, name); |
685 | - krb5_free_unparsed_name(kcontext, sname); | |
686 | + sss_krb5_free_unparsed_name(kcontext, name); | |
687 | + sss_krb5_free_unparsed_name(kcontext, sname); | |
688 | } | |
689 | ||
690 | static errno_t | |
ccdb83c2 | 691 | @@ -374,7 +374,7 @@ print_ccache(const char *cc) |
dd3b701a JB |
692 | ret = EOK; |
693 | done: | |
694 | krb5_cc_close(kcontext, cache); | |
695 | - krb5_free_unparsed_name(kcontext, defname); | |
696 | + sss_krb5_free_unparsed_name(kcontext, defname); | |
697 | krb5_free_principal(kcontext, princ); | |
698 | krb5_free_context(kcontext); | |
699 | return ret; | |
ccdb83c2 JR |
700 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/util/sss_krb5.c sssd-1.13.4/src/util/sss_krb5.c |
701 | --- sssd-1.13.4.org/src/util/sss_krb5.c 2016-04-13 16:48:41.000000000 +0200 | |
702 | +++ sssd-1.13.4/src/util/sss_krb5.c 2021-03-03 21:59:13.332396954 +0100 | |
66c0dc33 JB |
703 | @@ -20,7 +20,9 @@ |
704 | #include <stdio.h> | |
705 | #include <errno.h> | |
706 | #include <talloc.h> | |
707 | +#ifdef HAVE_PROFILE_H | |
708 | #include <profile.h> | |
709 | +#endif | |
710 | ||
711 | #include "config.h" | |
712 | ||
ccdb83c2 | 713 | @@ -485,7 +487,9 @@ void KRB5_CALLCONV sss_krb5_get_init_cre |
dd3b701a JB |
714 | |
715 | void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name) | |
716 | { | |
717 | -#ifdef HAVE_KRB5_FREE_UNPARSED_NAME | |
718 | +#ifdef HAVE_KRB5_XFREE | |
719 | + krb5_xfree(name); | |
720 | +#elif HAVE_KRB5_FREE_UNPARSED_NAME | |
721 | krb5_free_unparsed_name(context, name); | |
722 | #else | |
723 | if (name != NULL) { | |
ccdb83c2 | 724 | @@ -495,6 +499,15 @@ void KRB5_CALLCONV sss_krb5_free_unparse |
dd3b701a JB |
725 | #endif |
726 | } | |
727 | ||
728 | +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val) | |
729 | +{ | |
730 | +/* TODO: ensure at least on is available in krb5.m4 */ | |
731 | +#ifdef HAVE_KRB5_FREE_STRING | |
732 | + krb5_free_string(ctx, val); | |
733 | +#elif HAVE_KRB5_XFREE | |
734 | + (void) krb5_xfree(val); | |
735 | +#endif | |
736 | +} | |
737 | ||
738 | krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback( | |
739 | krb5_context context, | |
ccdb83c2 | 740 | @@ -753,15 +766,16 @@ cleanup: |
dd3b701a JB |
741 | #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */ |
742 | } | |
743 | ||
744 | -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, | |
745 | +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx, | |
746 | + krb5_get_init_creds_opt *opts, | |
747 | int canonicalize) | |
748 | { | |
749 | - /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal | |
750 | - * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of | |
751 | - * arguments. We should use a better configure check in the future. | |
752 | - */ | |
753 | -#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES) | |
754 | +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \ | |
755 | + KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2 | |
756 | krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); | |
757 | +#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \ | |
758 | + KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3 | |
759 | + (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize); | |
760 | #else | |
7168e7f9 | 761 | DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n"); |
dd3b701a | 762 | #endif |
ccdb83c2 | 763 | @@ -1023,7 +1037,7 @@ done: |
dd3b701a JB |
764 | KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr); |
765 | } | |
f74665dc | 766 | } |
dd3b701a JB |
767 | - krb5_free_string(ctx, tmp_ccname); |
768 | + sss_krb5_free_string(ctx, tmp_ccname); | |
769 | ||
770 | return ret_ccname; | |
771 | #else | |
ccdb83c2 | 772 | @@ -1076,6 +1090,7 @@ krb5_error_code sss_krb5_kt_have_content |
66c0dc33 JB |
773 | |
774 | bool sss_krb5_realm_has_proxy(const char *realm) | |
775 | { | |
776 | +#ifdef HAVE_PROFILE_H | |
777 | krb5_context context = NULL; | |
778 | krb5_error_code kerr; | |
779 | struct _profile_t *profile = NULL; | |
ccdb83c2 | 780 | @@ -1128,4 +1143,48 @@ done: |
66c0dc33 JB |
781 | krb5_free_context(context); |
782 | ||
783 | return res; | |
784 | +#else | |
785 | + return false; | |
786 | +#endif | |
787 | +} | |
dd3b701a JB |
788 | + |
789 | +krb5_error_code KRB5_CALLCONV | |
790 | +sss_krb5_unparse_name_ext(krb5_context ctx, | |
791 | + krb5_const_principal principal, | |
792 | + char **name, | |
793 | + unsigned int *len) | |
794 | +{ | |
795 | + krb5_error_code kerr; | |
796 | + | |
797 | +#ifdef HAVE_KRB5_UNPARSE_NAME_EXT | |
798 | + kerr = krb5_unparse_name_ext(ctx, principal, name, len); | |
799 | +#else | |
800 | + kerr = krb5_unparse_name(ctx, principal, name); | |
801 | + if (kerr == 0 && *name) | |
802 | + *len = strlen(*name); | |
803 | +#endif /* HAVE_KRB5_UNPARSE_NAME_EXT */ | |
804 | + | |
805 | + return kerr; | |
806 | +} | |
807 | + | |
808 | +krb5_error_code KRB5_CALLCONV | |
809 | +sss_krb5_get_time_offsets(krb5_context ctx, | |
810 | + krb5_timestamp *seconds, | |
811 | + int32_t *microseconds) | |
812 | +{ | |
813 | +#if defined(HAVE_KRB5_GET_TIME_OFFSETS) | |
814 | + return krb5_get_time_offsets(ctx, seconds, microseconds); | |
815 | +#elif defined(HAVE_KRB5_GET_KDC_SEC_OFFSET) | |
816 | + int32_t _seconds; | |
817 | + krb5_error_code ret; | |
818 | + | |
819 | + ret = krb5_get_kdc_sec_offset(ctx, &_seconds, microseconds); | |
820 | + *seconds = _seconds; | |
821 | + return ret; | |
822 | +#else | |
823 | + (void) ctx; | |
824 | + *seconds = 0; | |
825 | + *microseconds = 0; | |
826 | + return 0; | |
827 | +#endif | |
66c0dc33 | 828 | } |
ccdb83c2 JR |
829 | diff -urNp -x '*.orig' sssd-1.13.4.org/src/util/sss_krb5.h sssd-1.13.4/src/util/sss_krb5.h |
830 | --- sssd-1.13.4.org/src/util/sss_krb5.h 2016-04-13 16:48:41.000000000 +0200 | |
831 | +++ sssd-1.13.4/src/util/sss_krb5.h 2021-03-03 21:59:13.332396954 +0100 | |
7168e7f9 | 832 | @@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_cre |
dd3b701a JB |
833 | |
834 | void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name); | |
835 | ||
836 | +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val); | |
837 | + | |
7168e7f9 JB |
838 | krb5_error_code find_principal_in_keytab(krb5_context ctx, |
839 | krb5_keytab keytab, | |
840 | const char *pattern_primary, | |
841 | @@ -133,7 +135,8 @@ krb5_error_code | |
dd3b701a JB |
842 | sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, |
843 | int flags, char **name); | |
844 | ||
845 | -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, | |
846 | +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx, | |
847 | + krb5_get_init_creds_opt *opts, | |
848 | int canonicalize); | |
849 | ||
850 | enum sss_krb5_cc_type { | |
7168e7f9 | 851 | @@ -164,6 +167,10 @@ typedef krb5_times sss_krb5_ticket_times |
dd3b701a JB |
852 | /* Redirect libkrb5 tracing towards our DEBUG statements */ |
853 | errno_t sss_child_set_krb5_tracing(krb5_context ctx); | |
854 | ||
855 | +#ifndef HAVE_KRB5_AUTHDATATYPE | |
856 | +typedef int32_t krb5_authdatatype; | |
857 | +#endif | |
858 | + | |
859 | krb5_error_code sss_krb5_find_authdata(krb5_context context, | |
860 | krb5_authdata *const *ticket_authdata, | |
861 | krb5_authdata *const *ap_req_authdata, | |
ccdb83c2 | 862 | @@ -186,4 +193,14 @@ krb5_error_code sss_krb5_kt_have_content |
7168e7f9 | 863 | krb5_keytab keytab); |
e1f3ee2a ER |
864 | |
865 | bool sss_krb5_realm_has_proxy(const char *realm); | |
dd3b701a JB |
866 | + |
867 | +krb5_error_code KRB5_CALLCONV | |
868 | +sss_krb5_unparse_name_ext(krb5_context ctx, | |
869 | + krb5_const_principal principal, | |
870 | + char **name, | |
871 | + unsigned int *len); | |
872 | +krb5_error_code KRB5_CALLCONV | |
873 | +sss_krb5_get_time_offsets(krb5_context ctx, | |
874 | + krb5_timestamp *seconds, | |
875 | + int32_t *microseconds); | |
876 | #endif /* __SSS_KRB5_H__ */ |