]> git.pld-linux.org Git - packages/sssd.git/blob - sssd-heimdal.patch
08c70910b4c1db46aab91d0d88194d5148b528dd
[packages/sssd.git] / sssd-heimdal.patch
1 diff --git a/src/external/krb5.m4 b/src/external/krb5.m4
2 index 1a50bf1..54c5883 100644
3 --- a/src/external/krb5.m4
4 +++ b/src/external/krb5.m4
5 @@ -37,8 +37,8 @@ SAVE_CFLAGS=$CFLAGS
6  SAVE_LIBS=$LIBS
7  CFLAGS="$CFLAGS $KRB5_CFLAGS"
8  LIBS="$LIBS $KRB5_LIBS"
9 -AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
10 -AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
11 +AC_CHECK_HEADERS([krb5.h krb5/krb5.h profile.h])
12 +AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info, krb5_authdatatype], [], [],
13                 [ #ifdef HAVE_KRB5_KRB5_H
14                   #include <krb5/krb5.h>
15                   #else
16 @@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
17                   #endif
18                 ])
19  AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
20 +                krb5_unparse_name_ext \
21                  krb5_free_unparsed_name \
22                  krb5_get_init_creds_opt_set_expire_callback \
23                  krb5_get_init_creds_opt_set_fast_ccache_name \
24 @@ -59,12 +60,33 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
25                  krb5_kt_free_entry \
26                  krb5_princ_realm \
27                  krb5_get_time_offsets \
28 +                krb5_get_kdc_sec_offset \
29                  krb5_principal_get_realm \
30                  krb5_cc_cache_match \
31                  krb5_timestamp_to_sfstring \
32                  krb5_set_trace_callback \
33                  krb5_find_authdata \
34 -                krb5_cc_get_full_name])
35 +                krb5_cc_get_full_name \
36 +                krb5_free_string \
37 +                krb5_xfree])
38 +
39 +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
40 +                                      #include <krb5/krb5.h>
41 +                                      #else
42 +                                      #include <krb5.h>
43 +                                      #endif
44 +                                   ]],
45 +                                  [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])],
46 +                  [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])])
47 +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
48 +                                      #include <krb5/krb5.h>
49 +                                      #else
50 +                                      #include <krb5.h>
51 +                                      #endif
52 +                                   ]],
53 +                                   [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])],
54 +                   [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])])
55 +
56  CFLAGS=$SAVE_CFLAGS
57  LIBS=$SAVE_LIBS
58  
59 diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
60 index 725687d..586c7dd 100644
61 --- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
62 +++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
63 @@ -340,6 +340,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
64      switch (socktype) {
65          case SOCK_STREAM:
66          case SOCK_DGRAM:
67 +        case 0: /* any */
68              break;
69          default:
70              return KRB5_PLUGIN_NO_HANDLE;
71 @@ -374,7 +375,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
72                   ai->ai_family, ai->ai_socktype));
73  
74      if ((family == AF_UNSPEC || ai->ai_family == family) &&
75 -        ai->ai_socktype == socktype) {
76 +        (ai->ai_socktype == socktype || socktype == 0)) {
77  
78          ret = cbfunc(cbdata, socktype, ai->ai_addr);
79          if (ret != 0) {
80 --- sssd-1.11.6/src/providers/ad/ad_common.c.orig       2014-06-03 16:31:33.000000000 +0200
81 +++ sssd-1.11.6/src/providers/ad/ad_common.c    2014-06-18 21:33:34.690734956 +0200
82 @@ -536,7 +536,7 @@ errno_t
83  ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
84                   const char *primary_servers,
85                   const char *backup_servers,
86 -                 const char *krb5_realm,
87 +                 const char *krb5_realm_str,
88                   const char *ad_service,
89                   const char *ad_gc_service,
90                   const char *ad_domain,
91 @@ -596,13 +596,13 @@ ad_failover_init(TALLOC_CTX *mem_ctx, st
92      service->sdap->kinit_service_name = service->krb5_service->name;
93      service->gc->kinit_service_name = service->krb5_service->name;
94  
95 -    if (!krb5_realm) {
96 +    if (!krb5_realm_str) {
97          DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n");
98          ret = EINVAL;
99          goto done;
100      }
101      service->krb5_service->realm =
102 -        talloc_strdup(service->krb5_service, krb5_realm);
103 +        talloc_strdup(service->krb5_service, krb5_realm_str);
104      if (!service->krb5_service->realm) {
105          ret = ENOMEM;
106          goto done;
107 @@ -810,7 +810,7 @@ ad_set_ad_id_options(struct ad_options *
108                       struct sdap_options *id_opts)
109  {
110      errno_t ret;
111 -    char *krb5_realm;
112 +    char *krb5_realm_str;
113      char *keytab_path;
114  
115      /* We only support Kerberos password policy with AD, so
116 @@ -825,20 +825,20 @@ ad_set_ad_id_options(struct ad_options *
117      }
118  
119      /* Set the Kerberos Realm for GSSAPI */
120 -    krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
121 -    if (!krb5_realm) {
122 +    krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
123 +    if (!krb5_realm_str) {
124          /* Should be impossible, this is set in ad_get_common_options() */
125          DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
126          ret = EINVAL;
127          goto done;
128      }
129  
130 -    ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
131 +    ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm_str);
132      if (ret != EOK) goto done;
133      DEBUG(SSSDBG_CONF_SETTINGS,
134            "Option %s set to %s\n",
135             id_opts->basic[SDAP_KRB5_REALM].opt_name,
136 -           krb5_realm);
137 +           krb5_realm_str);
138  
139      keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
140      if (keytab_path) {
141 @@ -998,7 +998,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
142      errno_t ret;
143      struct dp_option *krb5_options;
144      const char *ad_servers;
145 -    const char *krb5_realm;
146 +    const char *krb5_realm_str;
147  
148      TALLOC_CTX *tmp_ctx = talloc_new(NULL);
149      if (!tmp_ctx) return ENOMEM;
150 @@ -1025,8 +1025,8 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
151  
152      /* Set krb5 realm */
153      /* Set the Kerberos Realm for GSSAPI */
154 -    krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
155 -    if (!krb5_realm) {
156 +    krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
157 +    if (!krb5_realm_str) {
158          /* Should be impossible, this is set in ad_get_common_options() */
159          DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
160          ret = EINVAL;
161 @@ -1036,12 +1036,12 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
162      /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
163       * been upper-cased in ad_common_options()
164       */
165 -    ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
166 +    ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm_str);
167      if (ret != EOK) goto done;
168      DEBUG(SSSDBG_CONF_SETTINGS,
169            "Option %s set to %s\n",
170             krb5_options[KRB5_REALM].opt_name,
171 -           krb5_realm);
172 +           krb5_realm_str);
173  
174      /* Set flag that controls whether we want to write the
175       * kdcinfo files at all
176 --- sssd-1.12.0/src/providers/krb5/krb5_child.c.orig    2014-07-09 19:44:02.000000000 +0200
177 +++ sssd-1.12.0/src/providers/krb5/krb5_child.c 2014-07-15 22:14:25.585419861 +0200
178 @@ -117,7 +117,7 @@ static krb5_error_code set_lifetime_opti
179      return 0;
180  }
181  
182 -static void set_canonicalize_option(krb5_get_init_creds_opt *opts)
183 +static void set_canonicalize_option(krb5_context ctx, krb5_get_init_creds_opt *opts)
184  {
185      int canonicalize = 0;
186      char *tmp_str;
187 @@ -128,23 +128,23 @@ static void set_canonicalize_option(krb5
188      }
189      DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
190            SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set");
191 -    sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
192 +    sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
193  }
194  
195 -static void set_changepw_options(krb5_get_init_creds_opt *options)
196 +static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
197  {
198 -    sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
199 +    sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0);
200      krb5_get_init_creds_opt_set_forwardable(options, 0);
201      krb5_get_init_creds_opt_set_proxiable(options, 0);
202      krb5_get_init_creds_opt_set_renew_life(options, 0);
203      krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
204  }
205  
206 -static void revert_changepw_options(krb5_get_init_creds_opt *options)
207 +static void revert_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
208  {
209      krb5_error_code kerr;
210  
211 -    set_canonicalize_option(options);
212 +    set_canonicalize_option(ctx, options);
213  
214      /* Currently we do not set forwardable and proxiable explicitly, the flags
215       * must be removed so that libkrb5 can take the defaults from krb5.conf */
216 @@ -158,6 +158,7 @@ static void revert_changepw_options(krb5
217  }
218  
219  
220 +#ifdef HAVE_PAC_RESPONDER
221  static errno_t sss_send_pac(krb5_authdata **pac_authdata)
222  {
223      struct sss_cli_req_data sss_data;
224 @@ -177,6 +178,7 @@ static errno_t sss_send_pac(krb5_authdat
225  
226      return EOK;
227  }
228 +#endif /* HAVE_PAC_RESPONDER */
229  
230  static void sss_krb5_expire_callback_func(krb5_context context, void *data,
231                                            krb5_timestamp password_expiration,
232 @@ -468,7 +470,8 @@ static krb5_error_code create_empty_cred
233  {
234      krb5_error_code kerr;
235      krb5_creds *cred = NULL;
236 -    krb5_data *krb5_realm;
237 +    const char *realm_name;
238 +    int realm_length;
239  
240      cred = calloc(sizeof(krb5_creds), 1);
241      if (cred == NULL) {
242 @@ -482,12 +485,12 @@ static krb5_error_code create_empty_cred
243          goto done;
244      }
245  
246 -    krb5_realm = krb5_princ_realm(ctx, princ);
247 +    sss_krb5_princ_realm(ctx, princ, &realm_name, &realm_length);
248  
249      kerr = krb5_build_principal_ext(ctx, &cred->server,
250 -                                    krb5_realm->length, krb5_realm->data,
251 +                                    realm_length, realm_name,
252                                      KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
253 -                                    krb5_realm->length, krb5_realm->data, 0);
254 +                                    realm_length, realm_name, 0);
255      if (kerr != 0) {
256          DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n");
257          goto done;
258 @@ -746,7 +749,8 @@ static errno_t add_ticket_times_and_upn_
259          goto done;
260      }
261  
262 -    kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);
263 +    kerr = sss_krb5_unparse_name_ext(kr->ctx, kr->creds->client,
264 +                                     &upn, &upn_len);
265      if (kerr != 0) {
266          DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n");
267          goto done;
268 @@ -754,7 +758,7 @@ static errno_t add_ticket_times_and_upn_
269  
270      ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
271                             (uint8_t *) upn);
272 -    krb5_free_unparsed_name(kr->ctx, upn);
273 +    sss_krb5_free_unparsed_name(kr->ctx, upn);
274      if (ret != EOK) {
275          DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
276          goto done;
277 @@ -776,7 +780,9 @@ static krb5_error_code validate_tgt(stru
278      krb5_principal validation_princ = NULL;
279      bool realm_entry_found = false;
280      krb5_ccache validation_ccache = NULL;
281 +#ifdef HAVE_PAC_RESPONDER
282      krb5_authdata **pac_authdata = NULL;
283 +#endif
284  
285      memset(&keytab, 0, sizeof(keytab));
286      kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
287 @@ -870,6 +876,7 @@ static krb5_error_code validate_tgt(stru
288          goto done;
289      }
290  
291 +#ifdef HAVE_PAC_RESPONDER
292      /* Try to find and send the PAC to the PAC responder.
293       * Failures are not critical. */
294      if (kr->send_pac) {
295 @@ -892,6 +899,7 @@ static krb5_error_code validate_tgt(stru
296              kerr = 0;
297          }
298      }
299 +#endif /* HAVE_PAC_RESPONDER */
300  
301  done:
302      if (validation_ccache != NULL) {
303 @@ -927,7 +935,7 @@ static krb5_error_code get_and_save_tgt_
304      krb5_get_init_creds_opt_set_address_list(&options, NULL);
305      krb5_get_init_creds_opt_set_forwardable(&options, 0);
306      krb5_get_init_creds_opt_set_proxiable(&options, 0);
307 -    set_canonicalize_option(&options);
308 +    set_canonicalize_option(ctx, &options);
309  
310      kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
311                                        &options);
312 @@ -1110,7 +1118,7 @@ static errno_t changepw_child(struct krb
313          prompter = sss_krb5_prompter;
314      }
315  
316 -    set_changepw_options(kr->options);
317 +    set_changepw_options(kr->ctx, kr->options);
318      sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
319  
320      DEBUG(SSSDBG_TRACE_FUNC,
321 @@ -1158,9 +1166,9 @@ static errno_t changepw_child(struct krb
322  
323      memset(&result_code_string, 0, sizeof(krb5_data));
324      memset(&result_string, 0, sizeof(krb5_data));
325 -    kerr = krb5_change_password(kr->ctx, kr->creds,
326 -                                discard_const(newpassword), &result_code,
327 -                                &result_code_string, &result_string);
328 +    kerr = krb5_set_password(kr->ctx, kr->creds,
329 +                             discard_const(newpassword), NULL,
330 +                             &result_code, &result_code_string, &result_string);
331  
332      if (kerr == KRB5_KDC_UNREACH) {
333          return ERR_NETWORK_IO;
334 @@ -1174,7 +1182,7 @@ static errno_t changepw_child(struct krb
335          if (result_code_string.length > 0) {
336              DEBUG(SSSDBG_CRIT_FAILURE,
337                    "krb5_change_password failed [%d][%.*s].\n", result_code,
338 -                      result_code_string.length, result_code_string.data);
339 +                      (int) result_code_string.length, (char *) result_code_string.data);
340              user_error_message = talloc_strndup(kr->pd, result_code_string.data,
341                                                  result_code_string.length);
342              if (user_error_message == NULL) {
343 @@ -1182,10 +1190,10 @@ static errno_t changepw_child(struct krb
344              }
345          }
346  
347 -        if (result_string.length > 0 && result_string.data[0] != '\0') {
348 +        if (result_string.length > 0 && ((char *) result_string.data)[0] != '\0') {
349              DEBUG(SSSDBG_CRIT_FAILURE,
350                    "krb5_change_password failed [%d][%.*s].\n", result_code,
351 -                      result_string.length, result_string.data);
352 +                      (int) result_string.length, (char *) result_string.data);
353              talloc_free(user_error_message);
354              user_error_message = talloc_strndup(kr->pd, result_string.data,
355                                                  result_string.length);
356 @@ -1228,7 +1236,7 @@ static errno_t changepw_child(struct krb
357  
358      /* We changed some of the gic options for the password change, now we have
359       * to change them back to get a fresh TGT. */
360 -    revert_changepw_options(kr->options);
361 +    revert_changepw_options(kr->ctx, kr->options);
362  
363      kerr = get_and_save_tgt(kr, newpassword);
364  
365 @@ -1288,7 +1296,7 @@ static errno_t tgt_req_child(struct krb5
366                "Failed to unset expire callback, continue ...\n");
367      }
368  
369 -    set_changepw_options(kr->options);
370 +    set_changepw_options(kr->ctx, kr->options);
371      kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
372                                          discard_const(password),
373                                          sss_krb5_prompter, kr, 0,
374 @@ -1766,7 +1774,8 @@ static errno_t k5c_recv_data(struct krb5
375  static int k5c_setup_fast(struct krb5_req *kr, bool demand)
376  {
377      krb5_principal fast_princ_struct;
378 -    krb5_data *realm_data;
379 +    const char *realm_name;
380 +    int realm_length;
381      char *fast_principal_realm;
382      char *fast_principal;
383      krb5_error_code kerr;
384 @@ -1794,8 +1803,11 @@ static int k5c_setup_fast(struct krb5_re
385              return KRB5KRB_ERR_GENERIC;
386          }
387          free(tmp_str);
388 -        realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct);
389 -        fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data);
390 +        sss_krb5_princ_realm(kr->ctx, fast_princ_struct,
391 +                             &realm_name, &realm_length);
392 +
393 +        fast_principal_realm = talloc_asprintf(kr, "%.*s",
394 +                                               realm_length, realm_name);
395          if (!fast_principal_realm) {
396              DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
397              return ENOMEM;
398 @@ -1929,7 +1941,7 @@ static int k5c_setup(struct krb5_req *kr
399      }
400  
401      if (!offline) {
402 -        set_canonicalize_option(kr->options);
403 +        set_canonicalize_option(kr->ctx, kr->options);
404  
405          use_fast_str = getenv(SSSD_KRB5_USE_FAST);
406          if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) {
407 --- sssd-1.11.6/src/providers/krb5/krb5_common.c.orig   2014-06-03 16:31:33.000000000 +0200
408 +++ sssd-1.11.6/src/providers/krb5/krb5_common.c        2014-06-18 22:23:18.480672769 +0200
409 @@ -33,7 +33,7 @@
410  #include "providers/krb5/krb5_opts.h"
411  #include "providers/krb5/krb5_utils.h"
412  
413 -#ifdef HAVE_KRB5_CC_COLLECTION
414 +#ifdef HAVE_PROFILE_H
415  /* krb5 profile functions */
416  #include <profile.h>
417  #endif
418 @@ -91,7 +91,7 @@ done:
419      return ret;
420  }
421  
422 -#ifdef HAVE_KRB5_CC_COLLECTION
423 +#ifdef HAVE_PROFILE_H
424  /* source default_ccache_name from krb5.conf */
425  static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
426                                                char **ccname)
427 @@ -912,7 +912,7 @@ errno_t krb5_install_offline_callback(st
428  {
429      int ret;
430      struct remove_info_files_ctx *ctx;
431 -    const char *krb5_realm;
432 +    const char *krb5_realm_str;
433  
434      if (krb5_ctx->service == NULL || krb5_ctx->service->name == NULL) {
435          DEBUG(SSSDBG_CRIT_FAILURE, "Missing KDC service name!\n");
436 @@ -925,14 +925,14 @@ errno_t krb5_install_offline_callback(st
437          return ENOMEM;
438      }
439  
440 -    krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
441 -    if (krb5_realm == NULL) {
442 +    krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
443 +    if (krb5_realm_str == NULL) {
444          DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
445          ret = EINVAL;
446          goto done;
447      }
448  
449 -    ctx->realm = talloc_strdup(ctx, krb5_realm);
450 +    ctx->realm = talloc_strdup(ctx, krb5_realm_str);
451      if (ctx->realm == NULL) {
452          DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
453          ret = ENOMEM;
454 @@ -967,19 +967,19 @@ done:
455  errno_t krb5_install_sigterm_handler(struct tevent_context *ev,
456                                       struct krb5_ctx *krb5_ctx)
457  {
458 -    const char *krb5_realm;
459 +    const char *krb5_realm_str;
460      char *sig_realm;
461      struct tevent_signal *sige;
462  
463      BlockSignals(false, SIGTERM);
464  
465 -    krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
466 -    if (krb5_realm == NULL) {
467 +    krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
468 +    if (krb5_realm_str == NULL) {
469          DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
470          return EINVAL;
471      }
472  
473 -    sig_realm = talloc_strdup(krb5_ctx, krb5_realm);
474 +    sig_realm = talloc_strdup(krb5_ctx, krb5_realm_str);
475      if (sig_realm == NULL) {
476          DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
477          return ENOMEM;
478 --- sssd-1.11.6/src/providers/krb5/krb5_init.c.orig     2014-06-03 16:31:33.000000000 +0200
479 +++ sssd-1.11.6/src/providers/krb5/krb5_init.c  2014-06-18 22:43:53.080647036 +0200
480 @@ -64,7 +64,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
481      const char *krb5_backup_servers;
482      const char *krb5_kpasswd_servers;
483      const char *krb5_backup_kpasswd_servers;
484 -    const char *krb5_realm;
485 +    const char *krb5_realm_str;
486      const char *errstr;
487      int errval;
488      int errpos;
489 @@ -103,15 +103,15 @@ int sssm_krb5_auth_init(struct be_ctx *b
490      krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
491      krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
492  
493 -    krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
494 -    if (krb5_realm == NULL) {
495 +    krb5_realm_str = dp_opt_get_string(ctx->opts, KRB5_REALM);
496 +    if (krb5_realm_str == NULL) {
497          DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n");
498          return EINVAL;
499      }
500  
501      ret = krb5_service_init(ctx, bectx,
502                              SSS_KRB5KDC_FO_SRV, krb5_servers,
503 -                            krb5_backup_servers, krb5_realm,
504 +                            krb5_backup_servers, krb5_realm_str,
505                              dp_opt_get_bool(krb5_options->opts,
506                                              KRB5_USE_KDCINFO),
507                              &ctx->service);
508 @@ -138,7 +138,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
509      } else {
510          ret = krb5_service_init(ctx, bectx,
511                                  SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
512 -                                krb5_backup_kpasswd_servers, krb5_realm,
513 +                                krb5_backup_kpasswd_servers, krb5_realm_str,
514                                  dp_opt_get_bool(krb5_options->opts,
515                                                  KRB5_USE_KDCINFO),
516                                  &ctx->kpasswd_service);
517 --- sssd-1.11.6/src/providers/ldap/ldap_child.c.orig    2014-06-03 16:31:33.000000000 +0200
518 +++ sssd-1.11.6/src/providers/ldap/ldap_child.c 2014-06-19 07:25:44.383327744 +0200
519 @@ -97,7 +97,7 @@ static errno_t unpack_buffer(uint8_t *bu
520  
521      /* ticket lifetime */
522      SAFEALIGN_COPY_INT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
523 -    DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %d\n", ibuf->lifetime);
524 +    DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %d\n", (int)ibuf->lifetime);
525  
526      return EOK;
527  }
528 @@ -310,7 +310,8 @@ static krb5_error_code ldap_child_get_tg
529          DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
530          canonicalize = 1;
531      }
532 -    sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
533 +    sss_krb5_get_init_creds_opt_set_canonicalize(context,
534 +                                                 &options, canonicalize);
535  
536      krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
537                                          keytab, 0, NULL, &options);
538 @@ -343,8 +344,7 @@ static krb5_error_code ldap_child_get_tg
539      }
540      DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n");
541  
542 -#ifdef HAVE_KRB5_GET_TIME_OFFSETS
543 -    krberr = krb5_get_time_offsets(context, &kdc_time_offset,
544 +    krberr = sss_krb5_get_time_offsets(context, &kdc_time_offset,
545              &kdc_time_offset_usec);
546      if (krberr) {
547          DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n",
548 @@ -356,10 +356,6 @@ static krb5_error_code ldap_child_get_tg
549          }
550      }
551      DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n");
552 -#else
553 -    /* If we don't have this function, just assume no offset */
554 -    kdc_time_offset = 0;
555 -#endif
556  
557      krberr = 0;
558      *ccname_out = ccname;
559 --- sssd-1.11.6/src/providers/ldap/ldap_common.c.orig   2014-06-03 16:31:33.000000000 +0200
560 +++ sssd-1.11.6/src/providers/ldap/ldap_common.c        2014-06-19 07:33:38.193317867 +0200
561 @@ -1303,7 +1303,7 @@ done:
562  static const char *
563  sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
564  {
565 -    char *krb5_realm = NULL;
566 +    char *krb5_realm_str = NULL;
567      const char *realm = NULL;
568      krb5_error_code krberr;
569      krb5_context context = NULL;
570 @@ -1314,15 +1314,15 @@ sdap_gssapi_get_default_realm(TALLOC_CTX
571          goto done;
572      }
573  
574 -    krberr = krb5_get_default_realm(context, &krb5_realm);
575 +    krberr = krb5_get_default_realm(context, &krb5_realm_str);
576      if (krberr) {
577          DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n",
578                    sss_krb5_get_error_message(context, krberr));
579          goto done;
580      }
581  
582 -    realm = talloc_strdup(mem_ctx, krb5_realm);
583 -    krb5_free_default_realm(context, krb5_realm);
584 +    realm = talloc_strdup(mem_ctx, krb5_realm_str);
585 +    krb5_free_default_realm(context, krb5_realm_str);
586      if (!realm) {
587          DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n");
588          goto done;
589 @@ -1343,7 +1343,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
590      int ret;
591      const char *krb5_servers;
592      const char *krb5_backup_servers;
593 -    const char *krb5_realm;
594 +    const char *krb5_realm_str;
595      const char *krb5_opt_realm;
596      struct krb5_service *service = NULL;
597      TALLOC_CTX *tmp_ctx;
598 @@ -1358,16 +1358,16 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
599      if (krb5_opt_realm == NULL) {
600          DEBUG(SSSDBG_OP_FAILURE,
601                "Missing krb5_realm option, will use libkrb default\n");
602 -        krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);
603 -        if (krb5_realm == NULL) {
604 +        krb5_realm_str = sdap_gssapi_get_default_realm(tmp_ctx);
605 +        if (krb5_realm_str == NULL) {
606              DEBUG(SSSDBG_FATAL_FAILURE,
607                    "Cannot determine the Kerberos realm, aborting\n");
608              ret = EIO;
609              goto done;
610          }
611      } else {
612 -        krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm);
613 -        if (krb5_realm == NULL) {
614 +        krb5_realm_str = talloc_strdup(tmp_ctx, krb5_opt_realm);
615 +        if (krb5_realm_str == NULL) {
616              ret = ENOMEM;
617              goto done;
618          }
619 @@ -1375,7 +1375,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
620  
621      ret = krb5_service_init(mem_ctx, bectx,
622                              SSS_KRB5KDC_FO_SRV, krb5_servers,
623 -                            krb5_backup_servers, krb5_realm,
624 +                            krb5_backup_servers, krb5_realm_str,
625                              dp_opt_get_bool(opts,
626                                              SDAP_KRB5_USE_KDCINFO),
627                              &service);
628 @@ -1384,14 +1384,14 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
629          goto done;
630      }
631  
632 -    ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);
633 +    ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm_str);
634      if (ret != EOK) {
635          DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
636          goto done;
637      }
638  
639      ret = sdap_install_offline_callback(mem_ctx, bectx,
640 -                                        krb5_realm, SSS_KRB5KDC_FO_SRV);
641 +                                        krb5_realm_str, SSS_KRB5KDC_FO_SRV);
642      if (ret != EOK) {
643          DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
644          goto done;
645 diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
646 index 0c6b68b..102827e 100644
647 --- a/src/tests/krb5_child-test.c
648 +++ b/src/tests/krb5_child-test.c
649 @@ -290,17 +290,17 @@ child_done(struct tevent_req *req)
650  static void
651  printtime(krb5_timestamp ts)
652  {
653 +#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
654      krb5_error_code kret;
655      char timestring[BUFSIZ];
656      char fill = '\0';
657  
658 -#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
659      kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill);
660      if (kret) {
661          KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret);
662      }
663      printf("%s", timestring);
664 -#else
665 +#elif defined(HAVE_KRB5_FORMAT_TIME)
666      printf("%s", ctime(&ts));
667  #endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */
668  }
669 @@ -333,8 +333,8 @@ print_creds(krb5_context kcontext, krb5_creds *cred, const char *defname)
670      }
671  
672  done:
673 -    krb5_free_unparsed_name(kcontext, name);
674 -    krb5_free_unparsed_name(kcontext, sname);
675 +    sss_krb5_free_unparsed_name(kcontext, name);
676 +    sss_krb5_free_unparsed_name(kcontext, sname);
677  }
678  
679  static errno_t
680 @@ -381,7 +381,7 @@ print_ccache(const char *cc)
681      ret = EOK;
682  done:
683      krb5_cc_close(kcontext, cache);
684 -    krb5_free_unparsed_name(kcontext, defname);
685 +    sss_krb5_free_unparsed_name(kcontext, defname);
686      krb5_free_principal(kcontext, princ);
687      krb5_free_context(kcontext);
688      return ret;
689 diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
690 index f8a7e6f..a954d10 100644
691 --- a/src/util/sss_krb5.c
692 +++ b/src/util/sss_krb5.c
693 @@ -535,7 +535,9 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
694  
695  void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
696  {
697 -#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
698 +#ifdef HAVE_KRB5_XFREE
699 +    krb5_xfree(name);
700 +#elif HAVE_KRB5_FREE_UNPARSED_NAME
701      krb5_free_unparsed_name(context, name);
702  #else
703      if (name != NULL) {
704 @@ -545,6 +547,15 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
705  #endif
706  }
707  
708 +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val)
709 +{
710 +/* TODO: ensure at least on is available in krb5.m4 */
711 +#ifdef HAVE_KRB5_FREE_STRING
712 +    krb5_free_string(ctx, val);
713 +#elif HAVE_KRB5_XFREE
714 +    (void) krb5_xfree(val);
715 +#endif
716 +}
717  
718  krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
719                                                     krb5_context context,
720 @@ -800,15 +811,16 @@ cleanup:
721  #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
722  }
723  
724 -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
725 +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
726 +                                                  krb5_get_init_creds_opt *opts,
727                                                    int canonicalize)
728  {
729 -    /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
730 -     * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
731 -     * arguments. We should use a better configure check in the future.
732 -     */
733 -#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
734 +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
735 +    KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2
736      krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
737 +#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
738 +    KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3
739 +    (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
740  #else
741      DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not available!\n"));
742  #endif
743 @@ -1063,10 +1075,51 @@ done:
744              KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
745          }
746      }
747 -    krb5_free_string(ctx, tmp_ccname);
748 +    sss_krb5_free_string(ctx, tmp_ccname);
749  
750      return ret_ccname;
751  #else
752      return NULL;
753  #endif /* HAVE_KRB5_CC_COLLECTION */
754  }
755 +
756 +krb5_error_code KRB5_CALLCONV
757 +sss_krb5_unparse_name_ext(krb5_context ctx,
758 +                          krb5_const_principal principal,
759 +                          char **name,
760 +                          unsigned int *len)
761 +{
762 +    krb5_error_code kerr;
763 +
764 +#ifdef HAVE_KRB5_UNPARSE_NAME_EXT
765 +    kerr = krb5_unparse_name_ext(ctx, principal, name, len);
766 +#else
767 +    kerr = krb5_unparse_name(ctx, principal, name);
768 +    if (kerr == 0 && *name)
769 +        *len = strlen(*name);
770 +#endif /* HAVE_KRB5_UNPARSE_NAME_EXT */
771 +
772 +    return kerr;
773 +}
774 +
775 +krb5_error_code KRB5_CALLCONV
776 +sss_krb5_get_time_offsets(krb5_context ctx,
777 +                          krb5_timestamp *seconds,
778 +                          int32_t *microseconds)
779 +{
780 +#if defined(HAVE_KRB5_GET_TIME_OFFSETS)
781 +    return krb5_get_time_offsets(ctx, seconds, microseconds);
782 +#elif defined(HAVE_KRB5_GET_KDC_SEC_OFFSET)
783 +    int32_t _seconds;
784 +    krb5_error_code ret;
785 +
786 +    ret = krb5_get_kdc_sec_offset(ctx, &_seconds, microseconds);
787 +    *seconds = _seconds;
788 +    return ret;
789 +#else
790 +    (void) ctx;
791 +    *seconds = 0;
792 +    *microseconds = 0;
793 +    return 0;
794 +#endif
795 +}
796 diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
797 index db47e0a..c7b9a69 100644
798 --- a/src/util/sss_krb5.h
799 +++ b/src/util/sss_krb5.h
800 @@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
801  
802  void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
803  
804 +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val);
805 +
806  int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
807                                krb5_context context, krb5_keytab keytab);
808  
809 @@ -136,7 +138,8 @@ krb5_error_code
810  sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
811                              int flags, char **name);
812  
813 -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
814 +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
815 +                                                  krb5_get_init_creds_opt *opts,
816                                                    int canonicalize);
817  
818  enum sss_krb5_cc_type {
819 @@ -167,6 +170,10 @@ typedef krb5_times sss_krb5_ticket_times;
820  /* Redirect libkrb5 tracing towards our DEBUG statements */
821  errno_t sss_child_set_krb5_tracing(krb5_context ctx);
822  
823 +#ifndef HAVE_KRB5_AUTHDATATYPE
824 +typedef int32_t krb5_authdatatype;
825 +#endif
826 +
827  krb5_error_code sss_krb5_find_authdata(krb5_context context,
828                                         krb5_authdata *const *ticket_authdata,
829                                         krb5_authdata *const *ap_req_authdata,
830 @@ -184,4 +191,14 @@ char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx,
831                                           krb5_context ctx,
832                                           krb5_principal principal,
833                                           const char *location);
834 +
835 +krb5_error_code KRB5_CALLCONV
836 +sss_krb5_unparse_name_ext(krb5_context ctx,
837 +                          krb5_const_principal principal,
838 +                          char **name,
839 +                          unsigned int *len);
840 +krb5_error_code KRB5_CALLCONV
841 +sss_krb5_get_time_offsets(krb5_context ctx,
842 +                          krb5_timestamp *seconds,
843 +                          int32_t *microseconds);
844  #endif /* __SSS_KRB5_H__ */
845 #--- sssd-1.11.4/src/external/pac_responder.m4.orig     2014-02-17 19:55:32.000000000 +0100
846 #+++ sssd-1.11.4/src/external/pac_responder.m4  2014-03-22 17:59:50.707675270 +0100
847 #@@ -21,7 +21,8 @@
848 #         Kerberos\ 5\ release\ 1.9* | \
849 #         Kerberos\ 5\ release\ 1.10* | \
850 #         Kerberos\ 5\ release\ 1.11* | \
851 #-        Kerberos\ 5\ release\ 1.12*)
852 #+        Kerberos\ 5\ release\ 1.12* | \
853 #+        heimdal\ *)
854 #             krb5_version_ok=yes
855 #             AC_MSG_RESULT([yes])
856 #             ;;
This page took 0.099321 seconds and 2 git commands to generate.