up to 1.13.4
[packages/sssd.git] / sssd-heimdal.patch
CommitLineData
dd3b701a
JB
1diff --git a/src/external/krb5.m4 b/src/external/krb5.m4
2index 1a50bf1..54c5883 100644
3--- a/src/external/krb5.m4
4+++ b/src/external/krb5.m4
5@@ -37,8 +37,8 @@ SAVE_CFLAGS=$CFLAGS
6 SAVE_LIBS=$LIBS
7 CFLAGS="$CFLAGS $KRB5_CFLAGS"
8 LIBS="$LIBS $KRB5_LIBS"
9-AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
10-AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
11+AC_CHECK_HEADERS([krb5.h krb5/krb5.h profile.h])
12+AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info, krb5_authdatatype], [], [],
13 [ #ifdef HAVE_KRB5_KRB5_H
14 #include <krb5/krb5.h>
15 #else
7168e7f9 16@@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_
dd3b701a
JB
17 #endif
18 ])
19 AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
20+ krb5_unparse_name_ext \
21 krb5_free_unparsed_name \
22 krb5_get_init_creds_opt_set_expire_callback \
23 krb5_get_init_creds_opt_set_fast_ccache_name \
7168e7f9 24@@ -65,7 +66,28 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_
dd3b701a
JB
25 krb5_set_trace_callback \
26 krb5_find_authdata \
7168e7f9
JB
27 krb5_kt_have_content \
28+ krb5_get_kdc_sec_offset \
dd3b701a 29+ krb5_free_string \
7168e7f9
JB
30+ krb5_xfree \
31 krb5_cc_get_full_name])
dd3b701a
JB
32+
33+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
34+ #include <krb5/krb5.h>
35+ #else
36+ #include <krb5.h>
37+ #endif
38+ ]],
39+ [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])],
40+ [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])])
41+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
42+ #include <krb5/krb5.h>
43+ #else
44+ #include <krb5.h>
45+ #endif
46+ ]],
47+ [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])],
48+ [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])])
49+
50 CFLAGS=$SAVE_CFLAGS
51 LIBS=$SAVE_LIBS
7168e7f9 52 CFLAGS="$CFLAGS $KRB5_CFLAGS"
dd3b701a
JB
53diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
54index 725687d..586c7dd 100644
55--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
56+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
57@@ -340,6 +340,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
58 switch (socktype) {
59 case SOCK_STREAM:
60 case SOCK_DGRAM:
61+ case 0: /* any */
f74665dc 62 break;
dd3b701a
JB
63 default:
64 return KRB5_PLUGIN_NO_HANDLE;
65@@ -374,7 +375,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
66 ai->ai_family, ai->ai_socktype));
67
68 if ((family == AF_UNSPEC || ai->ai_family == family) &&
69- ai->ai_socktype == socktype) {
70+ (ai->ai_socktype == socktype || socktype == 0)) {
71
72 ret = cbfunc(cbdata, socktype, ai->ai_addr);
73 if (ret != 0) {
38af2cc5
JB
74--- sssd-1.11.6/src/providers/ad/ad_common.c.orig 2014-06-03 16:31:33.000000000 +0200
75+++ sssd-1.11.6/src/providers/ad/ad_common.c 2014-06-18 21:33:34.690734956 +0200
76@@ -536,7 +536,7 @@ errno_t
dd3b701a
JB
77 ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
78 const char *primary_servers,
79 const char *backup_servers,
80- const char *krb5_realm,
81+ const char *krb5_realm_str,
82 const char *ad_service,
83 const char *ad_gc_service,
84 const char *ad_domain,
38af2cc5 85@@ -596,13 +596,13 @@ ad_failover_init(TALLOC_CTX *mem_ctx, st
dd3b701a
JB
86 service->sdap->kinit_service_name = service->krb5_service->name;
87 service->gc->kinit_service_name = service->krb5_service->name;
88
89- if (!krb5_realm) {
90+ if (!krb5_realm_str) {
38af2cc5 91 DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n");
dd3b701a
JB
92 ret = EINVAL;
93 goto done;
94 }
95 service->krb5_service->realm =
96- talloc_strdup(service->krb5_service, krb5_realm);
97+ talloc_strdup(service->krb5_service, krb5_realm_str);
98 if (!service->krb5_service->realm) {
99 ret = ENOMEM;
100 goto done;
38af2cc5 101@@ -810,7 +810,7 @@ ad_set_ad_id_options(struct ad_options *
dd3b701a
JB
102 struct sdap_options *id_opts)
103 {
104 errno_t ret;
105- char *krb5_realm;
106+ char *krb5_realm_str;
107 char *keytab_path;
108
109 /* We only support Kerberos password policy with AD, so
38af2cc5 110@@ -825,20 +825,20 @@ ad_set_ad_id_options(struct ad_options *
dd3b701a
JB
111 }
112
113 /* Set the Kerberos Realm for GSSAPI */
114- krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
115- if (!krb5_realm) {
116+ krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
117+ if (!krb5_realm_str) {
118 /* Should be impossible, this is set in ad_get_common_options() */
38af2cc5 119 DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
dd3b701a
JB
120 ret = EINVAL;
121 goto done;
122 }
123
124- ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
125+ ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm_str);
126 if (ret != EOK) goto done;
127 DEBUG(SSSDBG_CONF_SETTINGS,
38af2cc5 128 "Option %s set to %s\n",
dd3b701a 129 id_opts->basic[SDAP_KRB5_REALM].opt_name,
38af2cc5
JB
130- krb5_realm);
131+ krb5_realm_str);
dd3b701a
JB
132
133 keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
134 if (keytab_path) {
38af2cc5 135@@ -998,7 +998,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
dd3b701a
JB
136 errno_t ret;
137 struct dp_option *krb5_options;
138 const char *ad_servers;
139- const char *krb5_realm;
140+ const char *krb5_realm_str;
141
142 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
143 if (!tmp_ctx) return ENOMEM;
38af2cc5 144@@ -1025,8 +1025,8 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
dd3b701a
JB
145
146 /* Set krb5 realm */
147 /* Set the Kerberos Realm for GSSAPI */
148- krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
149- if (!krb5_realm) {
150+ krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
151+ if (!krb5_realm_str) {
152 /* Should be impossible, this is set in ad_get_common_options() */
38af2cc5 153 DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
dd3b701a 154 ret = EINVAL;
38af2cc5 155@@ -1036,12 +1036,12 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
dd3b701a
JB
156 /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
157 * been upper-cased in ad_common_options()
158 */
159- ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
160+ ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm_str);
161 if (ret != EOK) goto done;
162 DEBUG(SSSDBG_CONF_SETTINGS,
38af2cc5 163 "Option %s set to %s\n",
dd3b701a 164 krb5_options[KRB5_REALM].opt_name,
38af2cc5
JB
165- krb5_realm);
166+ krb5_realm_str);
dd3b701a
JB
167
168 /* Set flag that controls whether we want to write the
169 * kdcinfo files at all
7168e7f9
JB
170--- sssd-1.12.3/src/providers/krb5/krb5_child.c.orig 2015-01-08 18:19:45.000000000 +0100
171+++ sssd-1.12.3/src/providers/krb5/krb5_child.c 2015-01-12 16:19:43.242398934 +0100
172@@ -133,7 +133,7 @@ static krb5_error_code set_lifetime_opti
38af2cc5
JB
173 return 0;
174 }
175
176-static void set_canonicalize_option(krb5_get_init_creds_opt *opts)
177+static void set_canonicalize_option(krb5_context ctx, krb5_get_init_creds_opt *opts)
178 {
179 int canonicalize = 0;
180 char *tmp_str;
7168e7f9 181@@ -144,23 +144,23 @@ static void set_canonicalize_option(krb5
dd3b701a 182 }
38af2cc5
JB
183 DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
184 SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set");
185- sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
186+ sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
187 }
dd3b701a 188
3278078b
JB
189-static void set_changepw_options(krb5_get_init_creds_opt *options)
190+static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
38af2cc5 191 {
dd3b701a
JB
192- sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
193+ sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0);
194 krb5_get_init_creds_opt_set_forwardable(options, 0);
195 krb5_get_init_creds_opt_set_proxiable(options, 0);
196 krb5_get_init_creds_opt_set_renew_life(options, 0);
38af2cc5
JB
197 krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
198 }
199
200-static void revert_changepw_options(krb5_get_init_creds_opt *options)
201+static void revert_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
202 {
203 krb5_error_code kerr;
204
205- set_canonicalize_option(options);
206+ set_canonicalize_option(ctx, options);
207
208 /* Currently we do not set forwardable and proxiable explicitly, the flags
209 * must be removed so that libkrb5 can take the defaults from krb5.conf */
7168e7f9 210@@ -174,6 +174,7 @@ static void revert_changepw_options(krb5
dd3b701a
JB
211 }
212
38af2cc5 213
dd3b701a
JB
214+#ifdef HAVE_PAC_RESPONDER
215 static errno_t sss_send_pac(krb5_authdata **pac_authdata)
216 {
217 struct sss_cli_req_data sss_data;
7168e7f9 218@@ -193,6 +194,7 @@ static errno_t sss_send_pac(krb5_authdat
dd3b701a
JB
219
220 return EOK;
221 }
222+#endif /* HAVE_PAC_RESPONDER */
223
224 static void sss_krb5_expire_callback_func(krb5_context context, void *data,
225 krb5_timestamp password_expiration,
7168e7f9 226@@ -484,7 +486,8 @@ static krb5_error_code create_empty_cred
dd3b701a
JB
227 {
228 krb5_error_code kerr;
229 krb5_creds *cred = NULL;
230- krb5_data *krb5_realm;
231+ const char *realm_name;
232+ int realm_length;
233
234 cred = calloc(sizeof(krb5_creds), 1);
235 if (cred == NULL) {
7168e7f9 236@@ -498,12 +501,12 @@ static krb5_error_code create_empty_cred
dd3b701a
JB
237 goto done;
238 }
239
240- krb5_realm = krb5_princ_realm(ctx, princ);
241+ sss_krb5_princ_realm(ctx, princ, &realm_name, &realm_length);
242
243 kerr = krb5_build_principal_ext(ctx, &cred->server,
244- krb5_realm->length, krb5_realm->data,
245+ realm_length, realm_name,
246 KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
247- krb5_realm->length, krb5_realm->data, 0);
248+ realm_length, realm_name, 0);
249 if (kerr != 0) {
38af2cc5 250 DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n");
dd3b701a 251 goto done;
7168e7f9 252@@ -762,7 +765,8 @@ static errno_t add_ticket_times_and_upn_
dd3b701a
JB
253 goto done;
254 }
255
256- kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);
257+ kerr = sss_krb5_unparse_name_ext(kr->ctx, kr->creds->client,
258+ &upn, &upn_len);
259 if (kerr != 0) {
38af2cc5 260 DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n");
dd3b701a 261 goto done;
7168e7f9 262@@ -770,7 +774,7 @@ static errno_t add_ticket_times_and_upn_
dd3b701a
JB
263
264 ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
265 (uint8_t *) upn);
266- krb5_free_unparsed_name(kr->ctx, upn);
267+ sss_krb5_free_unparsed_name(kr->ctx, upn);
268 if (ret != EOK) {
38af2cc5 269 DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
dd3b701a 270 goto done;
7168e7f9 271@@ -792,7 +796,9 @@ static krb5_error_code validate_tgt(stru
dd3b701a
JB
272 krb5_principal validation_princ = NULL;
273 bool realm_entry_found = false;
274 krb5_ccache validation_ccache = NULL;
275+#ifdef HAVE_PAC_RESPONDER
276 krb5_authdata **pac_authdata = NULL;
277+#endif
278
279 memset(&keytab, 0, sizeof(keytab));
280 kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
7168e7f9 281@@ -886,6 +892,7 @@ static krb5_error_code validate_tgt(stru
dd3b701a
JB
282 goto done;
283 }
284
285+#ifdef HAVE_PAC_RESPONDER
286 /* Try to find and send the PAC to the PAC responder.
287 * Failures are not critical. */
288 if (kr->send_pac) {
7168e7f9 289@@ -908,6 +915,7 @@ static krb5_error_code validate_tgt(stru
dd3b701a 290 kerr = 0;
f74665dc 291 }
dd3b701a
JB
292 }
293+#endif /* HAVE_PAC_RESPONDER */
294
295 done:
296 if (validation_ccache != NULL) {
7168e7f9 297@@ -943,7 +951,7 @@ static krb5_error_code get_and_save_tgt_
dd3b701a
JB
298 krb5_get_init_creds_opt_set_address_list(&options, NULL);
299 krb5_get_init_creds_opt_set_forwardable(&options, 0);
300 krb5_get_init_creds_opt_set_proxiable(&options, 0);
38af2cc5
JB
301- set_canonicalize_option(&options);
302+ set_canonicalize_option(ctx, &options);
f74665dc 303
dd3b701a
JB
304 kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
305 &options);
7168e7f9 306@@ -1149,7 +1157,7 @@ static errno_t changepw_child(struct krb
3278078b
JB
307 prompter = sss_krb5_prompter;
308 }
309
310- set_changepw_options(kr->options);
311+ set_changepw_options(kr->ctx, kr->options);
312 sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
7168e7f9
JB
313 if (realm_length == 0) {
314 DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
315@@ -1201,9 +1209,9 @@ static errno_t changepw_child(struct krb
dd3b701a
JB
316
317 memset(&result_code_string, 0, sizeof(krb5_data));
318 memset(&result_string, 0, sizeof(krb5_data));
319- kerr = krb5_change_password(kr->ctx, kr->creds,
320- discard_const(newpassword), &result_code,
321- &result_code_string, &result_string);
322+ kerr = krb5_set_password(kr->ctx, kr->creds,
323+ discard_const(newpassword), NULL,
324+ &result_code, &result_code_string, &result_string);
325
326 if (kerr == KRB5_KDC_UNREACH) {
327 return ERR_NETWORK_IO;
7168e7f9 328@@ -1217,7 +1225,7 @@ static errno_t changepw_child(struct krb
dd3b701a 329 if (result_code_string.length > 0) {
38af2cc5
JB
330 DEBUG(SSSDBG_CRIT_FAILURE,
331 "krb5_change_password failed [%d][%.*s].\n", result_code,
332- result_code_string.length, result_code_string.data);
333+ (int) result_code_string.length, (char *) result_code_string.data);
dd3b701a
JB
334 user_error_message = talloc_strndup(kr->pd, result_code_string.data,
335 result_code_string.length);
336 if (user_error_message == NULL) {
7168e7f9 337@@ -1225,10 +1233,10 @@ static errno_t changepw_child(struct krb
dd3b701a 338 }
f74665dc 339 }
dd3b701a
JB
340
341- if (result_string.length > 0 && result_string.data[0] != '\0') {
38af2cc5
JB
342+ if (result_string.length > 0 && ((char *) result_string.data)[0] != '\0') {
343 DEBUG(SSSDBG_CRIT_FAILURE,
344 "krb5_change_password failed [%d][%.*s].\n", result_code,
345- result_string.length, result_string.data);
346+ (int) result_string.length, (char *) result_string.data);
dd3b701a
JB
347 talloc_free(user_error_message);
348 user_error_message = talloc_strndup(kr->pd, result_string.data,
349 result_string.length);
7168e7f9 350@@ -1279,7 +1287,7 @@ static errno_t changepw_child(struct krb
38af2cc5
JB
351
352 /* We changed some of the gic options for the password change, now we have
353 * to change them back to get a fresh TGT. */
354- revert_changepw_options(kr->options);
355+ revert_changepw_options(kr->ctx, kr->options);
356
357 kerr = get_and_save_tgt(kr, newpassword);
358
7168e7f9 359@@ -1339,7 +1347,7 @@ static errno_t tgt_req_child(struct krb5
3278078b
JB
360 "Failed to unset expire callback, continue ...\n");
361 }
362
363- set_changepw_options(kr->options);
364+ set_changepw_options(kr->ctx, kr->options);
365 kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
366 discard_const(password),
367 sss_krb5_prompter, kr, 0,
7168e7f9 368@@ -1919,7 +1927,8 @@ static errno_t k5c_recv_data(struct krb5
38af2cc5 369 static int k5c_setup_fast(struct krb5_req *kr, bool demand)
f74665dc 370 {
dd3b701a
JB
371 krb5_principal fast_princ_struct;
372- krb5_data *realm_data;
373+ const char *realm_name;
374+ int realm_length;
375 char *fast_principal_realm;
376 char *fast_principal;
f74665dc 377 krb5_error_code kerr;
7168e7f9 378@@ -1948,8 +1957,11 @@ static int k5c_setup_fast(struct krb5_re
dd3b701a
JB
379 return KRB5KRB_ERR_GENERIC;
380 }
381 free(tmp_str);
382- realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct);
383- fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data);
384+ sss_krb5_princ_realm(kr->ctx, fast_princ_struct,
385+ &realm_name, &realm_length);
386+
387+ fast_principal_realm = talloc_asprintf(kr, "%.*s",
388+ realm_length, realm_name);
389 if (!fast_principal_realm) {
38af2cc5 390 DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
dd3b701a 391 return ENOMEM;
7168e7f9 392@@ -2235,7 +2247,7 @@ static int k5c_setup(struct krb5_req *kr
dd3b701a
JB
393 }
394
395 if (!offline) {
38af2cc5
JB
396- set_canonicalize_option(kr->options);
397+ set_canonicalize_option(kr->ctx, kr->options);
7168e7f9 398 }
dd3b701a 399
7168e7f9 400 /* TODO: set options, e.g.
38af2cc5
JB
401--- sssd-1.11.6/src/providers/krb5/krb5_common.c.orig 2014-06-03 16:31:33.000000000 +0200
402+++ sssd-1.11.6/src/providers/krb5/krb5_common.c 2014-06-18 22:23:18.480672769 +0200
dd3b701a
JB
403@@ -33,7 +33,7 @@
404 #include "providers/krb5/krb5_opts.h"
405 #include "providers/krb5/krb5_utils.h"
406
407-#ifdef HAVE_KRB5_CC_COLLECTION
408+#ifdef HAVE_PROFILE_H
409 /* krb5 profile functions */
410 #include <profile.h>
411 #endif
412@@ -91,7 +91,7 @@ done:
413 return ret;
414 }
415
416-#ifdef HAVE_KRB5_CC_COLLECTION
417+#ifdef HAVE_PROFILE_H
418 /* source default_ccache_name from krb5.conf */
419 static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
420 char **ccname)
38af2cc5 421@@ -912,7 +912,7 @@ errno_t krb5_install_offline_callback(st
dd3b701a
JB
422 {
423 int ret;
424 struct remove_info_files_ctx *ctx;
425- const char *krb5_realm;
426+ const char *krb5_realm_str;
427
428 if (krb5_ctx->service == NULL || krb5_ctx->service->name == NULL) {
38af2cc5
JB
429 DEBUG(SSSDBG_CRIT_FAILURE, "Missing KDC service name!\n");
430@@ -925,14 +925,14 @@ errno_t krb5_install_offline_callback(st
dd3b701a
JB
431 return ENOMEM;
432 }
433
434- krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
435- if (krb5_realm == NULL) {
436+ krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
437+ if (krb5_realm_str == NULL) {
38af2cc5 438 DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
dd3b701a
JB
439 ret = EINVAL;
440 goto done;
441 }
442
443- ctx->realm = talloc_strdup(ctx, krb5_realm);
444+ ctx->realm = talloc_strdup(ctx, krb5_realm_str);
445 if (ctx->realm == NULL) {
38af2cc5 446 DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
dd3b701a 447 ret = ENOMEM;
38af2cc5 448@@ -967,19 +967,19 @@ done:
dd3b701a
JB
449 errno_t krb5_install_sigterm_handler(struct tevent_context *ev,
450 struct krb5_ctx *krb5_ctx)
451 {
452- const char *krb5_realm;
453+ const char *krb5_realm_str;
454 char *sig_realm;
455 struct tevent_signal *sige;
456
457 BlockSignals(false, SIGTERM);
458
459- krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
460- if (krb5_realm == NULL) {
461+ krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
462+ if (krb5_realm_str == NULL) {
38af2cc5 463 DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
dd3b701a
JB
464 return EINVAL;
465 }
466
467- sig_realm = talloc_strdup(krb5_ctx, krb5_realm);
468+ sig_realm = talloc_strdup(krb5_ctx, krb5_realm_str);
469 if (sig_realm == NULL) {
38af2cc5 470 DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
dd3b701a 471 return ENOMEM;
38af2cc5
JB
472--- sssd-1.11.6/src/providers/krb5/krb5_init.c.orig 2014-06-03 16:31:33.000000000 +0200
473+++ sssd-1.11.6/src/providers/krb5/krb5_init.c 2014-06-18 22:43:53.080647036 +0200
474@@ -64,7 +64,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
dd3b701a
JB
475 const char *krb5_backup_servers;
476 const char *krb5_kpasswd_servers;
477 const char *krb5_backup_kpasswd_servers;
478- const char *krb5_realm;
479+ const char *krb5_realm_str;
480 const char *errstr;
481 int errval;
482 int errpos;
38af2cc5 483@@ -103,15 +103,15 @@ int sssm_krb5_auth_init(struct be_ctx *b
dd3b701a
JB
484 krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
485 krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
486
487- krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
488- if (krb5_realm == NULL) {
489+ krb5_realm_str = dp_opt_get_string(ctx->opts, KRB5_REALM);
490+ if (krb5_realm_str == NULL) {
38af2cc5 491 DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n");
dd3b701a
JB
492 return EINVAL;
493 }
494
495 ret = krb5_service_init(ctx, bectx,
496 SSS_KRB5KDC_FO_SRV, krb5_servers,
497- krb5_backup_servers, krb5_realm,
498+ krb5_backup_servers, krb5_realm_str,
499 dp_opt_get_bool(krb5_options->opts,
500 KRB5_USE_KDCINFO),
501 &ctx->service);
38af2cc5 502@@ -138,7 +138,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
dd3b701a
JB
503 } else {
504 ret = krb5_service_init(ctx, bectx,
505 SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
506- krb5_backup_kpasswd_servers, krb5_realm,
507+ krb5_backup_kpasswd_servers, krb5_realm_str,
508 dp_opt_get_bool(krb5_options->opts,
509 KRB5_USE_KDCINFO),
510 &ctx->kpasswd_service);
7168e7f9
JB
511--- sssd-1.12.3/src/providers/ldap/ldap_child.c.orig 2015-01-08 18:19:45.000000000 +0100
512+++ sssd-1.12.3/src/providers/ldap/ldap_child.c 2015-01-12 16:27:54.035711695 +0100
513@@ -99,7 +99,7 @@ static errno_t unpack_buffer(uint8_t *bu
dd3b701a
JB
514
515 /* ticket lifetime */
7168e7f9
JB
516 SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
517- DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime);
518+ DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %ld\n", (long)(ibuf->lifetime));
dd3b701a 519
7168e7f9
JB
520 /* UID and GID to run as */
521 SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p);
522@@ -386,7 +386,8 @@ static krb5_error_code ldap_child_get_tg
38af2cc5 523 DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
dd3b701a
JB
524 canonicalize = 1;
525 }
526- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
527+ sss_krb5_get_init_creds_opt_set_canonicalize(context,
528+ &options, canonicalize);
529
7168e7f9
JB
530 ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
531 DB_PATH, realm_name);
532@@ -462,8 +463,7 @@ static krb5_error_code ldap_child_get_tg
dd3b701a 533 }
38af2cc5 534 DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n");
dd3b701a
JB
535
536-#ifdef HAVE_KRB5_GET_TIME_OFFSETS
537- krberr = krb5_get_time_offsets(context, &kdc_time_offset,
538+ krberr = sss_krb5_get_time_offsets(context, &kdc_time_offset,
539 &kdc_time_offset_usec);
540 if (krberr) {
38af2cc5 541 DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n",
7168e7f9 542@@ -475,10 +475,6 @@ static krb5_error_code ldap_child_get_tg
dd3b701a
JB
543 }
544 }
38af2cc5 545 DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n");
dd3b701a
JB
546-#else
547- /* If we don't have this function, just assume no offset */
548- kdc_time_offset = 0;
549-#endif
f74665dc 550
7168e7f9
JB
551 DEBUG(SSSDBG_TRACE_INTERNAL,
552 "Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file);
38af2cc5
JB
553--- sssd-1.11.6/src/providers/ldap/ldap_common.c.orig 2014-06-03 16:31:33.000000000 +0200
554+++ sssd-1.11.6/src/providers/ldap/ldap_common.c 2014-06-19 07:33:38.193317867 +0200
555@@ -1303,7 +1303,7 @@ done:
dd3b701a
JB
556 static const char *
557 sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
558 {
559- char *krb5_realm = NULL;
560+ char *krb5_realm_str = NULL;
561 const char *realm = NULL;
562 krb5_error_code krberr;
563 krb5_context context = NULL;
38af2cc5 564@@ -1314,15 +1314,15 @@ sdap_gssapi_get_default_realm(TALLOC_CTX
dd3b701a
JB
565 goto done;
566 }
f74665dc 567
dd3b701a
JB
568- krberr = krb5_get_default_realm(context, &krb5_realm);
569+ krberr = krb5_get_default_realm(context, &krb5_realm_str);
570 if (krberr) {
38af2cc5
JB
571 DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n",
572 sss_krb5_get_error_message(context, krberr));
dd3b701a
JB
573 goto done;
574 }
575
576- realm = talloc_strdup(mem_ctx, krb5_realm);
577- krb5_free_default_realm(context, krb5_realm);
578+ realm = talloc_strdup(mem_ctx, krb5_realm_str);
579+ krb5_free_default_realm(context, krb5_realm_str);
580 if (!realm) {
38af2cc5 581 DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n");
dd3b701a 582 goto done;
38af2cc5 583@@ -1343,7 +1343,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
dd3b701a
JB
584 int ret;
585 const char *krb5_servers;
586 const char *krb5_backup_servers;
587- const char *krb5_realm;
588+ const char *krb5_realm_str;
589 const char *krb5_opt_realm;
590 struct krb5_service *service = NULL;
591 TALLOC_CTX *tmp_ctx;
38af2cc5 592@@ -1358,16 +1358,16 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
dd3b701a 593 if (krb5_opt_realm == NULL) {
38af2cc5
JB
594 DEBUG(SSSDBG_OP_FAILURE,
595 "Missing krb5_realm option, will use libkrb default\n");
dd3b701a
JB
596- krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);
597- if (krb5_realm == NULL) {
598+ krb5_realm_str = sdap_gssapi_get_default_realm(tmp_ctx);
599+ if (krb5_realm_str == NULL) {
38af2cc5
JB
600 DEBUG(SSSDBG_FATAL_FAILURE,
601 "Cannot determine the Kerberos realm, aborting\n");
dd3b701a
JB
602 ret = EIO;
603 goto done;
f74665dc 604 }
dd3b701a
JB
605 } else {
606- krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm);
607- if (krb5_realm == NULL) {
608+ krb5_realm_str = talloc_strdup(tmp_ctx, krb5_opt_realm);
609+ if (krb5_realm_str == NULL) {
610 ret = ENOMEM;
611 goto done;
f74665dc 612 }
38af2cc5 613@@ -1375,7 +1375,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
f74665dc 614
dd3b701a
JB
615 ret = krb5_service_init(mem_ctx, bectx,
616 SSS_KRB5KDC_FO_SRV, krb5_servers,
617- krb5_backup_servers, krb5_realm,
618+ krb5_backup_servers, krb5_realm_str,
619 dp_opt_get_bool(opts,
620 SDAP_KRB5_USE_KDCINFO),
621 &service);
38af2cc5 622@@ -1384,14 +1384,14 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
dd3b701a
JB
623 goto done;
624 }
625
626- ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);
627+ ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm_str);
628 if (ret != EOK) {
38af2cc5 629 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
dd3b701a
JB
630 goto done;
631 }
632
633 ret = sdap_install_offline_callback(mem_ctx, bectx,
634- krb5_realm, SSS_KRB5KDC_FO_SRV);
635+ krb5_realm_str, SSS_KRB5KDC_FO_SRV);
636 if (ret != EOK) {
38af2cc5 637 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
dd3b701a 638 goto done;
dd3b701a
JB
639diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
640index 0c6b68b..102827e 100644
641--- a/src/tests/krb5_child-test.c
642+++ b/src/tests/krb5_child-test.c
643@@ -290,17 +290,17 @@ child_done(struct tevent_req *req)
644 static void
645 printtime(krb5_timestamp ts)
646 {
647+#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
648 krb5_error_code kret;
649 char timestring[BUFSIZ];
650 char fill = '\0';
651
652-#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
653 kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill);
654 if (kret) {
655 KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret);
656 }
657 printf("%s", timestring);
658-#else
659+#elif defined(HAVE_KRB5_FORMAT_TIME)
660 printf("%s", ctime(&ts));
661 #endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */
662 }
663@@ -333,8 +333,8 @@ print_creds(krb5_context kcontext, krb5_creds *cred, const char *defname)
664 }
f74665dc 665
666 done:
dd3b701a
JB
667- krb5_free_unparsed_name(kcontext, name);
668- krb5_free_unparsed_name(kcontext, sname);
669+ sss_krb5_free_unparsed_name(kcontext, name);
670+ sss_krb5_free_unparsed_name(kcontext, sname);
671 }
672
673 static errno_t
674@@ -381,7 +381,7 @@ print_ccache(const char *cc)
675 ret = EOK;
676 done:
677 krb5_cc_close(kcontext, cache);
678- krb5_free_unparsed_name(kcontext, defname);
679+ sss_krb5_free_unparsed_name(kcontext, defname);
680 krb5_free_principal(kcontext, princ);
681 krb5_free_context(kcontext);
682 return ret;
683diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
684index f8a7e6f..a954d10 100644
685--- a/src/util/sss_krb5.c
686+++ b/src/util/sss_krb5.c
7168e7f9 687@@ -484,7 +484,9 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
dd3b701a
JB
688
689 void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
690 {
691-#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
692+#ifdef HAVE_KRB5_XFREE
693+ krb5_xfree(name);
694+#elif HAVE_KRB5_FREE_UNPARSED_NAME
695 krb5_free_unparsed_name(context, name);
696 #else
697 if (name != NULL) {
7168e7f9 698@@ -494,6 +496,15 @@ void KRB5_CALLCONV sss_krb5_free_unparse
dd3b701a
JB
699 #endif
700 }
701
702+void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val)
703+{
704+/* TODO: ensure at least on is available in krb5.m4 */
705+#ifdef HAVE_KRB5_FREE_STRING
706+ krb5_free_string(ctx, val);
707+#elif HAVE_KRB5_XFREE
708+ (void) krb5_xfree(val);
709+#endif
710+}
711
712 krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
713 krb5_context context,
7168e7f9 714@@ -752,15 +763,16 @@ cleanup:
dd3b701a
JB
715 #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
716 }
717
718-void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
719+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
720+ krb5_get_init_creds_opt *opts,
721 int canonicalize)
722 {
723- /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
724- * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
725- * arguments. We should use a better configure check in the future.
726- */
727-#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
728+#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
729+ KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2
730 krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
731+#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
732+ KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3
733+ (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
734 #else
7168e7f9 735 DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n");
dd3b701a 736 #endif
7168e7f9 737@@ -1022,7 +1034,7 @@ done:
dd3b701a
JB
738 KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
739 }
f74665dc 740 }
dd3b701a
JB
741- krb5_free_string(ctx, tmp_ccname);
742+ sss_krb5_free_string(ctx, tmp_ccname);
743
744 return ret_ccname;
745 #else
7168e7f9
JB
746@@ -1069,3 +1081,44 @@ krb5_error_code sss_krb5_kt_have_content
747 return 0;
748 #endif
dd3b701a
JB
749 }
750+
751+krb5_error_code KRB5_CALLCONV
752+sss_krb5_unparse_name_ext(krb5_context ctx,
753+ krb5_const_principal principal,
754+ char **name,
755+ unsigned int *len)
756+{
757+ krb5_error_code kerr;
758+
759+#ifdef HAVE_KRB5_UNPARSE_NAME_EXT
760+ kerr = krb5_unparse_name_ext(ctx, principal, name, len);
761+#else
762+ kerr = krb5_unparse_name(ctx, principal, name);
763+ if (kerr == 0 && *name)
764+ *len = strlen(*name);
765+#endif /* HAVE_KRB5_UNPARSE_NAME_EXT */
766+
767+ return kerr;
768+}
769+
770+krb5_error_code KRB5_CALLCONV
771+sss_krb5_get_time_offsets(krb5_context ctx,
772+ krb5_timestamp *seconds,
773+ int32_t *microseconds)
774+{
775+#if defined(HAVE_KRB5_GET_TIME_OFFSETS)
776+ return krb5_get_time_offsets(ctx, seconds, microseconds);
777+#elif defined(HAVE_KRB5_GET_KDC_SEC_OFFSET)
778+ int32_t _seconds;
779+ krb5_error_code ret;
780+
781+ ret = krb5_get_kdc_sec_offset(ctx, &_seconds, microseconds);
782+ *seconds = _seconds;
783+ return ret;
784+#else
785+ (void) ctx;
786+ *seconds = 0;
787+ *microseconds = 0;
788+ return 0;
789+#endif
790+}
e1f3ee2a
ER
791--- sssd-1.13.4/src/util/sss_krb5.h~ 2016-05-01 12:23:18.000000000 +0300
792+++ sssd-1.13.4/src/util/sss_krb5.h 2016-05-01 12:24:04.615247459 +0300
7168e7f9 793@@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
dd3b701a
JB
794
795 void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
796
797+void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val);
798+
7168e7f9
JB
799 krb5_error_code find_principal_in_keytab(krb5_context ctx,
800 krb5_keytab keytab,
801 const char *pattern_primary,
802@@ -133,7 +135,8 @@ krb5_error_code
dd3b701a
JB
803 sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
804 int flags, char **name);
805
806-void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
807+void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
808+ krb5_get_init_creds_opt *opts,
809 int canonicalize);
810
811 enum sss_krb5_cc_type {
7168e7f9 812@@ -164,6 +167,10 @@ typedef krb5_times sss_krb5_ticket_times
dd3b701a
JB
813 /* Redirect libkrb5 tracing towards our DEBUG statements */
814 errno_t sss_child_set_krb5_tracing(krb5_context ctx);
815
816+#ifndef HAVE_KRB5_AUTHDATATYPE
817+typedef int32_t krb5_authdatatype;
818+#endif
819+
820 krb5_error_code sss_krb5_find_authdata(krb5_context context,
821 krb5_authdata *const *ticket_authdata,
822 krb5_authdata *const *ap_req_authdata,
e1f3ee2a 823@@ -193,4 +193,14 @@
7168e7f9 824 krb5_keytab keytab);
e1f3ee2a
ER
825
826 bool sss_krb5_realm_has_proxy(const char *realm);
dd3b701a
JB
827+
828+krb5_error_code KRB5_CALLCONV
829+sss_krb5_unparse_name_ext(krb5_context ctx,
830+ krb5_const_principal principal,
831+ char **name,
832+ unsigned int *len);
833+krb5_error_code KRB5_CALLCONV
834+sss_krb5_get_time_offsets(krb5_context ctx,
835+ krb5_timestamp *seconds,
836+ int32_t *microseconds);
837 #endif /* __SSS_KRB5_H__ */
7168e7f9
JB
838--- sssd-1.12.3/src/providers/krb5/krb5_keytab.c.orig 2015-01-08 18:19:45.000000000 +0100
839+++ sssd-1.12.3/src/providers/krb5/krb5_keytab.c 2015-01-12 18:14:26.452110024 +0100
840@@ -25,6 +25,10 @@
841 #include "util/util.h"
842 #include "util/sss_krb5.h"
843
844+#ifndef MAX_KEYTAB_NAME_LEN
845+#define MAX_KEYTAB_NAME_LEN 1100
846+#endif
847+
848 krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
849 char *inp_keytab_file,
850 char **_mem_name,
bf8e7304
JB
851#--- sssd-1.11.4/src/external/pac_responder.m4.orig 2014-02-17 19:55:32.000000000 +0100
852#+++ sssd-1.11.4/src/external/pac_responder.m4 2014-03-22 17:59:50.707675270 +0100
853#@@ -21,7 +21,8 @@
854# Kerberos\ 5\ release\ 1.9* | \
855# Kerberos\ 5\ release\ 1.10* | \
856# Kerberos\ 5\ release\ 1.11* | \
857#- Kerberos\ 5\ release\ 1.12*)
858#+ Kerberos\ 5\ release\ 1.12* | \
859#+ heimdal\ *)
860# krb5_version_ok=yes
861# AC_MSG_RESULT([yes])
862# ;;
This page took 0.81194 seconds and 4 git commands to generate.