7be6c4227ce93b3044876d46874b9840a4c77988
[packages/sssd.git] / sssd-heimdal.patch
1 diff --git a/src/external/krb5.m4 b/src/external/krb5.m4
2 index 1a50bf1..54c5883 100644
3 --- a/src/external/krb5.m4
4 +++ b/src/external/krb5.m4
5 @@ -37,8 +37,8 @@ SAVE_CFLAGS=$CFLAGS
6  SAVE_LIBS=$LIBS
7  CFLAGS="$CFLAGS $KRB5_CFLAGS"
8  LIBS="$LIBS $KRB5_LIBS"
9 -AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
10 -AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
11 +AC_CHECK_HEADERS([krb5.h krb5/krb5.h profile.h])
12 +AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info, krb5_authdatatype], [], [],
13                 [ #ifdef HAVE_KRB5_KRB5_H
14                   #include <krb5/krb5.h>
15                   #else
16 @@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_
17                   #endif
18                 ])
19  AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
20 +                krb5_unparse_name_ext \
21                  krb5_free_unparsed_name \
22                  krb5_get_init_creds_opt_set_expire_callback \
23                  krb5_get_init_creds_opt_set_fast_ccache_name \
24 @@ -65,7 +66,28 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_
25                  krb5_set_trace_callback \
26                  krb5_find_authdata \
27                  krb5_kt_have_content \
28 +                krb5_get_kdc_sec_offset \
29 +                krb5_free_string \
30 +                krb5_xfree \
31                  krb5_cc_get_full_name])
32 +
33 +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
34 +                                      #include <krb5/krb5.h>
35 +                                      #else
36 +                                      #include <krb5.h>
37 +                                      #endif
38 +                                   ]],
39 +                                  [[ krb5_get_init_creds_opt_set_canonicalize(NULL, 0); ]])],
40 +                  [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [2], [number of arguments])])
41 +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
42 +                                      #include <krb5/krb5.h>
43 +                                      #else
44 +                                      #include <krb5.h>
45 +                                      #endif
46 +                                   ]],
47 +                                   [[ krb5_get_init_creds_opt_set_canonicalize(NULL, NULL, 0); ]])],
48 +                   [AC_DEFINE([KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS], [3], [number of arguments])])
49 +
50  CFLAGS=$SAVE_CFLAGS
51  LIBS=$SAVE_LIBS
52  CFLAGS="$CFLAGS $KRB5_CFLAGS"
53 diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
54 index 725687d..586c7dd 100644
55 --- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
56 +++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
57 @@ -340,6 +340,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
58      switch (socktype) {
59          case SOCK_STREAM:
60          case SOCK_DGRAM:
61 +        case 0: /* any */
62              break;
63          default:
64              return KRB5_PLUGIN_NO_HANDLE;
65 @@ -374,7 +375,7 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
66                   ai->ai_family, ai->ai_socktype));
67  
68      if ((family == AF_UNSPEC || ai->ai_family == family) &&
69 -        ai->ai_socktype == socktype) {
70 +        (ai->ai_socktype == socktype || socktype == 0)) {
71  
72          ret = cbfunc(cbdata, socktype, ai->ai_addr);
73          if (ret != 0) {
74 --- sssd-1.11.6/src/providers/ad/ad_common.c.orig       2014-06-03 16:31:33.000000000 +0200
75 +++ sssd-1.11.6/src/providers/ad/ad_common.c    2014-06-18 21:33:34.690734956 +0200
76 @@ -536,7 +536,7 @@ errno_t
77  ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
78                   const char *primary_servers,
79                   const char *backup_servers,
80 -                 const char *krb5_realm,
81 +                 const char *krb5_realm_str,
82                   const char *ad_service,
83                   const char *ad_gc_service,
84                   const char *ad_domain,
85 @@ -596,13 +596,13 @@ ad_failover_init(TALLOC_CTX *mem_ctx, st
86      service->sdap->kinit_service_name = service->krb5_service->name;
87      service->gc->kinit_service_name = service->krb5_service->name;
88  
89 -    if (!krb5_realm) {
90 +    if (!krb5_realm_str) {
91          DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n");
92          ret = EINVAL;
93          goto done;
94      }
95      service->krb5_service->realm =
96 -        talloc_strdup(service->krb5_service, krb5_realm);
97 +        talloc_strdup(service->krb5_service, krb5_realm_str);
98      if (!service->krb5_service->realm) {
99          ret = ENOMEM;
100          goto done;
101 @@ -810,7 +810,7 @@ ad_set_ad_id_options(struct ad_options *
102                       struct sdap_options *id_opts)
103  {
104      errno_t ret;
105 -    char *krb5_realm;
106 +    char *krb5_realm_str;
107      char *keytab_path;
108  
109      /* We only support Kerberos password policy with AD, so
110 @@ -825,20 +825,20 @@ ad_set_ad_id_options(struct ad_options *
111      }
112  
113      /* Set the Kerberos Realm for GSSAPI */
114 -    krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
115 -    if (!krb5_realm) {
116 +    krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
117 +    if (!krb5_realm_str) {
118          /* Should be impossible, this is set in ad_get_common_options() */
119          DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
120          ret = EINVAL;
121          goto done;
122      }
123  
124 -    ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm);
125 +    ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm_str);
126      if (ret != EOK) goto done;
127      DEBUG(SSSDBG_CONF_SETTINGS,
128            "Option %s set to %s\n",
129             id_opts->basic[SDAP_KRB5_REALM].opt_name,
130 -           krb5_realm);
131 +           krb5_realm_str);
132  
133      keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB);
134      if (keytab_path) {
135 @@ -998,7 +998,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
136      errno_t ret;
137      struct dp_option *krb5_options;
138      const char *ad_servers;
139 -    const char *krb5_realm;
140 +    const char *krb5_realm_str;
141  
142      TALLOC_CTX *tmp_ctx = talloc_new(NULL);
143      if (!tmp_ctx) return ENOMEM;
144 @@ -1025,8 +1025,8 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
145  
146      /* Set krb5 realm */
147      /* Set the Kerberos Realm for GSSAPI */
148 -    krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
149 -    if (!krb5_realm) {
150 +    krb5_realm_str = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM);
151 +    if (!krb5_realm_str) {
152          /* Should be impossible, this is set in ad_get_common_options() */
153          DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n");
154          ret = EINVAL;
155 @@ -1036,12 +1036,12 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
156      /* Force the kerberos realm to match the AD_KRB5_REALM (which may have
157       * been upper-cased in ad_common_options()
158       */
159 -    ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm);
160 +    ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm_str);
161      if (ret != EOK) goto done;
162      DEBUG(SSSDBG_CONF_SETTINGS,
163            "Option %s set to %s\n",
164             krb5_options[KRB5_REALM].opt_name,
165 -           krb5_realm);
166 +           krb5_realm_str);
167  
168      /* Set flag that controls whether we want to write the
169       * kdcinfo files at all
170 --- sssd-1.12.3/src/providers/krb5/krb5_child.c.orig    2015-01-08 18:19:45.000000000 +0100
171 +++ sssd-1.12.3/src/providers/krb5/krb5_child.c 2015-01-12 16:19:43.242398934 +0100
172 @@ -133,7 +133,7 @@ static krb5_error_code set_lifetime_opti
173      return 0;
174  }
175  
176 -static void set_canonicalize_option(krb5_get_init_creds_opt *opts)
177 +static void set_canonicalize_option(krb5_context ctx, krb5_get_init_creds_opt *opts)
178  {
179      int canonicalize = 0;
180      char *tmp_str;
181 @@ -144,23 +144,23 @@ static void set_canonicalize_option(krb5
182      }
183      DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
184            SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set");
185 -    sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
186 +    sss_krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
187  }
188  
189 -static void set_changepw_options(krb5_get_init_creds_opt *options)
190 +static void set_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
191  {
192 -    sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
193 +    sss_krb5_get_init_creds_opt_set_canonicalize(ctx, options, 0);
194      krb5_get_init_creds_opt_set_forwardable(options, 0);
195      krb5_get_init_creds_opt_set_proxiable(options, 0);
196      krb5_get_init_creds_opt_set_renew_life(options, 0);
197      krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
198  }
199  
200 -static void revert_changepw_options(krb5_get_init_creds_opt *options)
201 +static void revert_changepw_options(krb5_context ctx, krb5_get_init_creds_opt *options)
202  {
203      krb5_error_code kerr;
204  
205 -    set_canonicalize_option(options);
206 +    set_canonicalize_option(ctx, options);
207  
208      /* Currently we do not set forwardable and proxiable explicitly, the flags
209       * must be removed so that libkrb5 can take the defaults from krb5.conf */
210 @@ -174,6 +174,7 @@ static void revert_changepw_options(krb5
211  }
212  
213  
214 +#ifdef HAVE_PAC_RESPONDER
215  static errno_t sss_send_pac(krb5_authdata **pac_authdata)
216  {
217      struct sss_cli_req_data sss_data;
218 @@ -193,6 +194,7 @@ static errno_t sss_send_pac(krb5_authdat
219  
220      return EOK;
221  }
222 +#endif /* HAVE_PAC_RESPONDER */
223  
224  static void sss_krb5_expire_callback_func(krb5_context context, void *data,
225                                            krb5_timestamp password_expiration,
226 @@ -484,7 +486,8 @@ static krb5_error_code create_empty_cred
227  {
228      krb5_error_code kerr;
229      krb5_creds *cred = NULL;
230 -    krb5_data *krb5_realm;
231 +    const char *realm_name;
232 +    int realm_length;
233  
234      cred = calloc(sizeof(krb5_creds), 1);
235      if (cred == NULL) {
236 @@ -498,12 +501,12 @@ static krb5_error_code create_empty_cred
237          goto done;
238      }
239  
240 -    krb5_realm = krb5_princ_realm(ctx, princ);
241 +    sss_krb5_princ_realm(ctx, princ, &realm_name, &realm_length);
242  
243      kerr = krb5_build_principal_ext(ctx, &cred->server,
244 -                                    krb5_realm->length, krb5_realm->data,
245 +                                    realm_length, realm_name,
246                                      KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
247 -                                    krb5_realm->length, krb5_realm->data, 0);
248 +                                    realm_length, realm_name, 0);
249      if (kerr != 0) {
250          DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n");
251          goto done;
252 @@ -762,7 +765,8 @@ static errno_t add_ticket_times_and_upn_
253          goto done;
254      }
255  
256 -    kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);
257 +    kerr = sss_krb5_unparse_name_ext(kr->ctx, kr->creds->client,
258 +                                     &upn, &upn_len);
259      if (kerr != 0) {
260          DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n");
261          goto done;
262 @@ -770,7 +774,7 @@ static errno_t add_ticket_times_and_upn_
263  
264      ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
265                             (uint8_t *) upn);
266 -    krb5_free_unparsed_name(kr->ctx, upn);
267 +    sss_krb5_free_unparsed_name(kr->ctx, upn);
268      if (ret != EOK) {
269          DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
270          goto done;
271 @@ -792,7 +796,9 @@ static krb5_error_code validate_tgt(stru
272      krb5_principal validation_princ = NULL;
273      bool realm_entry_found = false;
274      krb5_ccache validation_ccache = NULL;
275 +#ifdef HAVE_PAC_RESPONDER
276      krb5_authdata **pac_authdata = NULL;
277 +#endif
278  
279      memset(&keytab, 0, sizeof(keytab));
280      kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
281 @@ -886,6 +892,7 @@ static krb5_error_code validate_tgt(stru
282          goto done;
283      }
284  
285 +#ifdef HAVE_PAC_RESPONDER
286      /* Try to find and send the PAC to the PAC responder.
287       * Failures are not critical. */
288      if (kr->send_pac) {
289 @@ -908,6 +915,7 @@ static krb5_error_code validate_tgt(stru
290              kerr = 0;
291          }
292      }
293 +#endif /* HAVE_PAC_RESPONDER */
294  
295  done:
296      if (validation_ccache != NULL) {
297 @@ -943,7 +951,7 @@ static krb5_error_code get_and_save_tgt_
298      krb5_get_init_creds_opt_set_address_list(&options, NULL);
299      krb5_get_init_creds_opt_set_forwardable(&options, 0);
300      krb5_get_init_creds_opt_set_proxiable(&options, 0);
301 -    set_canonicalize_option(&options);
302 +    set_canonicalize_option(ctx, &options);
303  
304      kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
305                                        &options);
306 @@ -1149,7 +1157,7 @@ static errno_t changepw_child(struct krb
307          prompter = sss_krb5_prompter;
308      }
309  
310 -    set_changepw_options(kr->options);
311 +    set_changepw_options(kr->ctx, kr->options);
312      sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
313      if (realm_length == 0) {
314          DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
315 @@ -1201,9 +1209,9 @@ static errno_t changepw_child(struct krb
316  
317      memset(&result_code_string, 0, sizeof(krb5_data));
318      memset(&result_string, 0, sizeof(krb5_data));
319 -    kerr = krb5_change_password(kr->ctx, kr->creds,
320 -                                discard_const(newpassword), &result_code,
321 -                                &result_code_string, &result_string);
322 +    kerr = krb5_set_password(kr->ctx, kr->creds,
323 +                             discard_const(newpassword), NULL,
324 +                             &result_code, &result_code_string, &result_string);
325  
326      if (kerr == KRB5_KDC_UNREACH) {
327          return ERR_NETWORK_IO;
328 @@ -1217,7 +1225,7 @@ static errno_t changepw_child(struct krb
329          if (result_code_string.length > 0) {
330              DEBUG(SSSDBG_CRIT_FAILURE,
331                    "krb5_change_password failed [%d][%.*s].\n", result_code,
332 -                      result_code_string.length, result_code_string.data);
333 +                      (int) result_code_string.length, (char *) result_code_string.data);
334              user_error_message = talloc_strndup(kr->pd, result_code_string.data,
335                                                  result_code_string.length);
336              if (user_error_message == NULL) {
337 @@ -1225,10 +1233,10 @@ static errno_t changepw_child(struct krb
338              }
339          }
340  
341 -        if (result_string.length > 0 && result_string.data[0] != '\0') {
342 +        if (result_string.length > 0 && ((char *) result_string.data)[0] != '\0') {
343              DEBUG(SSSDBG_CRIT_FAILURE,
344                    "krb5_change_password failed [%d][%.*s].\n", result_code,
345 -                      result_string.length, result_string.data);
346 +                      (int) result_string.length, (char *) result_string.data);
347              talloc_free(user_error_message);
348              user_error_message = talloc_strndup(kr->pd, result_string.data,
349                                                  result_string.length);
350 @@ -1279,7 +1287,7 @@ static errno_t changepw_child(struct krb
351  
352      /* We changed some of the gic options for the password change, now we have
353       * to change them back to get a fresh TGT. */
354 -    revert_changepw_options(kr->options);
355 +    revert_changepw_options(kr->ctx, kr->options);
356  
357      kerr = get_and_save_tgt(kr, newpassword);
358  
359 @@ -1339,7 +1347,7 @@ static errno_t tgt_req_child(struct krb5
360                "Failed to unset expire callback, continue ...\n");
361      }
362  
363 -    set_changepw_options(kr->options);
364 +    set_changepw_options(kr->ctx, kr->options);
365      kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
366                                          discard_const(password),
367                                          sss_krb5_prompter, kr, 0,
368 @@ -1919,7 +1927,8 @@ static errno_t k5c_recv_data(struct krb5
369  static int k5c_setup_fast(struct krb5_req *kr, bool demand)
370  {
371      krb5_principal fast_princ_struct;
372 -    krb5_data *realm_data;
373 +    const char *realm_name;
374 +    int realm_length;
375      char *fast_principal_realm;
376      char *fast_principal;
377      krb5_error_code kerr;
378 @@ -1948,8 +1957,11 @@ static int k5c_setup_fast(struct krb5_re
379              return KRB5KRB_ERR_GENERIC;
380          }
381          free(tmp_str);
382 -        realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct);
383 -        fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, realm_data->data);
384 +        sss_krb5_princ_realm(kr->ctx, fast_princ_struct,
385 +                             &realm_name, &realm_length);
386 +
387 +        fast_principal_realm = talloc_asprintf(kr, "%.*s",
388 +                                               realm_length, realm_name);
389          if (!fast_principal_realm) {
390              DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
391              return ENOMEM;
392 @@ -2235,7 +2247,7 @@ static int k5c_setup(struct krb5_req *kr
393      }
394  
395      if (!offline) {
396 -        set_canonicalize_option(kr->options);
397 +        set_canonicalize_option(kr->ctx, kr->options);
398      }
399  
400  /* TODO: set options, e.g.
401 --- sssd-1.11.6/src/providers/krb5/krb5_common.c.orig   2014-06-03 16:31:33.000000000 +0200
402 +++ sssd-1.11.6/src/providers/krb5/krb5_common.c        2014-06-18 22:23:18.480672769 +0200
403 @@ -33,7 +33,7 @@
404  #include "providers/krb5/krb5_opts.h"
405  #include "providers/krb5/krb5_utils.h"
406  
407 -#ifdef HAVE_KRB5_CC_COLLECTION
408 +#ifdef HAVE_PROFILE_H
409  /* krb5 profile functions */
410  #include <profile.h>
411  #endif
412 @@ -91,7 +91,7 @@ done:
413      return ret;
414  }
415  
416 -#ifdef HAVE_KRB5_CC_COLLECTION
417 +#ifdef HAVE_PROFILE_H
418  /* source default_ccache_name from krb5.conf */
419  static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
420                                                char **ccname)
421 @@ -912,7 +912,7 @@ errno_t krb5_install_offline_callback(st
422  {
423      int ret;
424      struct remove_info_files_ctx *ctx;
425 -    const char *krb5_realm;
426 +    const char *krb5_realm_str;
427  
428      if (krb5_ctx->service == NULL || krb5_ctx->service->name == NULL) {
429          DEBUG(SSSDBG_CRIT_FAILURE, "Missing KDC service name!\n");
430 @@ -925,14 +925,14 @@ errno_t krb5_install_offline_callback(st
431          return ENOMEM;
432      }
433  
434 -    krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
435 -    if (krb5_realm == NULL) {
436 +    krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
437 +    if (krb5_realm_str == NULL) {
438          DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
439          ret = EINVAL;
440          goto done;
441      }
442  
443 -    ctx->realm = talloc_strdup(ctx, krb5_realm);
444 +    ctx->realm = talloc_strdup(ctx, krb5_realm_str);
445      if (ctx->realm == NULL) {
446          DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
447          ret = ENOMEM;
448 @@ -967,19 +967,19 @@ done:
449  errno_t krb5_install_sigterm_handler(struct tevent_context *ev,
450                                       struct krb5_ctx *krb5_ctx)
451  {
452 -    const char *krb5_realm;
453 +    const char *krb5_realm_str;
454      char *sig_realm;
455      struct tevent_signal *sige;
456  
457      BlockSignals(false, SIGTERM);
458  
459 -    krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
460 -    if (krb5_realm == NULL) {
461 +    krb5_realm_str = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
462 +    if (krb5_realm_str == NULL) {
463          DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n");
464          return EINVAL;
465      }
466  
467 -    sig_realm = talloc_strdup(krb5_ctx, krb5_realm);
468 +    sig_realm = talloc_strdup(krb5_ctx, krb5_realm_str);
469      if (sig_realm == NULL) {
470          DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
471          return ENOMEM;
472 --- sssd-1.11.6/src/providers/krb5/krb5_init.c.orig     2014-06-03 16:31:33.000000000 +0200
473 +++ sssd-1.11.6/src/providers/krb5/krb5_init.c  2014-06-18 22:43:53.080647036 +0200
474 @@ -64,7 +64,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
475      const char *krb5_backup_servers;
476      const char *krb5_kpasswd_servers;
477      const char *krb5_backup_kpasswd_servers;
478 -    const char *krb5_realm;
479 +    const char *krb5_realm_str;
480      const char *errstr;
481      int errval;
482      int errpos;
483 @@ -103,15 +103,15 @@ int sssm_krb5_auth_init(struct be_ctx *b
484      krb5_servers = dp_opt_get_string(ctx->opts, KRB5_KDC);
485      krb5_backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC);
486  
487 -    krb5_realm = dp_opt_get_string(ctx->opts, KRB5_REALM);
488 -    if (krb5_realm == NULL) {
489 +    krb5_realm_str = dp_opt_get_string(ctx->opts, KRB5_REALM);
490 +    if (krb5_realm_str == NULL) {
491          DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n");
492          return EINVAL;
493      }
494  
495      ret = krb5_service_init(ctx, bectx,
496                              SSS_KRB5KDC_FO_SRV, krb5_servers,
497 -                            krb5_backup_servers, krb5_realm,
498 +                            krb5_backup_servers, krb5_realm_str,
499                              dp_opt_get_bool(krb5_options->opts,
500                                              KRB5_USE_KDCINFO),
501                              &ctx->service);
502 @@ -138,7 +138,7 @@ int sssm_krb5_auth_init(struct be_ctx *b
503      } else {
504          ret = krb5_service_init(ctx, bectx,
505                                  SSS_KRB5KPASSWD_FO_SRV, krb5_kpasswd_servers,
506 -                                krb5_backup_kpasswd_servers, krb5_realm,
507 +                                krb5_backup_kpasswd_servers, krb5_realm_str,
508                                  dp_opt_get_bool(krb5_options->opts,
509                                                  KRB5_USE_KDCINFO),
510                                  &ctx->kpasswd_service);
511 --- sssd-1.12.3/src/providers/ldap/ldap_child.c.orig    2015-01-08 18:19:45.000000000 +0100
512 +++ sssd-1.12.3/src/providers/ldap/ldap_child.c 2015-01-12 16:27:54.035711695 +0100
513 @@ -99,7 +99,7 @@ static errno_t unpack_buffer(uint8_t *bu
514  
515      /* ticket lifetime */
516      SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
517 -    DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime);
518 +    DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %ld\n", (long)(ibuf->lifetime));
519  
520      /* UID and GID to run as */
521      SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p);
522 @@ -386,7 +386,8 @@ static krb5_error_code ldap_child_get_tg
523          DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
524          canonicalize = 1;
525      }
526 -    sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
527 +    sss_krb5_get_init_creds_opt_set_canonicalize(context,
528 +                                                 &options, canonicalize);
529  
530      ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
531                                    DB_PATH, realm_name);
532 @@ -462,8 +463,7 @@ static krb5_error_code ldap_child_get_tg
533      }
534      DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n");
535  
536 -#ifdef HAVE_KRB5_GET_TIME_OFFSETS
537 -    krberr = krb5_get_time_offsets(context, &kdc_time_offset,
538 +    krberr = sss_krb5_get_time_offsets(context, &kdc_time_offset,
539              &kdc_time_offset_usec);
540      if (krberr) {
541          DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n",
542 @@ -475,10 +475,6 @@ static krb5_error_code ldap_child_get_tg
543          }
544      }
545      DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n");
546 -#else
547 -    /* If we don't have this function, just assume no offset */
548 -    kdc_time_offset = 0;
549 -#endif
550  
551      DEBUG(SSSDBG_TRACE_INTERNAL,
552            "Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file);
553 --- sssd-1.11.6/src/providers/ldap/ldap_common.c.orig   2014-06-03 16:31:33.000000000 +0200
554 +++ sssd-1.11.6/src/providers/ldap/ldap_common.c        2014-06-19 07:33:38.193317867 +0200
555 @@ -1303,7 +1303,7 @@ done:
556  static const char *
557  sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
558  {
559 -    char *krb5_realm = NULL;
560 +    char *krb5_realm_str = NULL;
561      const char *realm = NULL;
562      krb5_error_code krberr;
563      krb5_context context = NULL;
564 @@ -1314,15 +1314,15 @@ sdap_gssapi_get_default_realm(TALLOC_CTX
565          goto done;
566      }
567  
568 -    krberr = krb5_get_default_realm(context, &krb5_realm);
569 +    krberr = krb5_get_default_realm(context, &krb5_realm_str);
570      if (krberr) {
571          DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n",
572                    sss_krb5_get_error_message(context, krberr));
573          goto done;
574      }
575  
576 -    realm = talloc_strdup(mem_ctx, krb5_realm);
577 -    krb5_free_default_realm(context, krb5_realm);
578 +    realm = talloc_strdup(mem_ctx, krb5_realm_str);
579 +    krb5_free_default_realm(context, krb5_realm_str);
580      if (!realm) {
581          DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n");
582          goto done;
583 @@ -1343,7 +1343,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
584      int ret;
585      const char *krb5_servers;
586      const char *krb5_backup_servers;
587 -    const char *krb5_realm;
588 +    const char *krb5_realm_str;
589      const char *krb5_opt_realm;
590      struct krb5_service *service = NULL;
591      TALLOC_CTX *tmp_ctx;
592 @@ -1358,16 +1358,16 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
593      if (krb5_opt_realm == NULL) {
594          DEBUG(SSSDBG_OP_FAILURE,
595                "Missing krb5_realm option, will use libkrb default\n");
596 -        krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx);
597 -        if (krb5_realm == NULL) {
598 +        krb5_realm_str = sdap_gssapi_get_default_realm(tmp_ctx);
599 +        if (krb5_realm_str == NULL) {
600              DEBUG(SSSDBG_FATAL_FAILURE,
601                    "Cannot determine the Kerberos realm, aborting\n");
602              ret = EIO;
603              goto done;
604          }
605      } else {
606 -        krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm);
607 -        if (krb5_realm == NULL) {
608 +        krb5_realm_str = talloc_strdup(tmp_ctx, krb5_opt_realm);
609 +        if (krb5_realm_str == NULL) {
610              ret = ENOMEM;
611              goto done;
612          }
613 @@ -1375,7 +1375,7 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
614  
615      ret = krb5_service_init(mem_ctx, bectx,
616                              SSS_KRB5KDC_FO_SRV, krb5_servers,
617 -                            krb5_backup_servers, krb5_realm,
618 +                            krb5_backup_servers, krb5_realm_str,
619                              dp_opt_get_bool(opts,
620                                              SDAP_KRB5_USE_KDCINFO),
621                              &service);
622 @@ -1384,14 +1384,14 @@ int sdap_gssapi_init(TALLOC_CTX *mem_ctx
623          goto done;
624      }
625  
626 -    ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm);
627 +    ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm_str);
628      if (ret != EOK) {
629          DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
630          goto done;
631      }
632  
633      ret = sdap_install_offline_callback(mem_ctx, bectx,
634 -                                        krb5_realm, SSS_KRB5KDC_FO_SRV);
635 +                                        krb5_realm_str, SSS_KRB5KDC_FO_SRV);
636      if (ret != EOK) {
637          DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n");
638          goto done;
639 diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
640 index 0c6b68b..102827e 100644
641 --- a/src/tests/krb5_child-test.c
642 +++ b/src/tests/krb5_child-test.c
643 @@ -290,17 +290,17 @@ child_done(struct tevent_req *req)
644  static void
645  printtime(krb5_timestamp ts)
646  {
647 +#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
648      krb5_error_code kret;
649      char timestring[BUFSIZ];
650      char fill = '\0';
651  
652 -#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING
653      kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill);
654      if (kret) {
655          KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret);
656      }
657      printf("%s", timestring);
658 -#else
659 +#elif defined(HAVE_KRB5_FORMAT_TIME)
660      printf("%s", ctime(&ts));
661  #endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */
662  }
663 @@ -333,8 +333,8 @@ print_creds(krb5_context kcontext, krb5_creds *cred, const char *defname)
664      }
665  
666  done:
667 -    krb5_free_unparsed_name(kcontext, name);
668 -    krb5_free_unparsed_name(kcontext, sname);
669 +    sss_krb5_free_unparsed_name(kcontext, name);
670 +    sss_krb5_free_unparsed_name(kcontext, sname);
671  }
672  
673  static errno_t
674 @@ -381,7 +381,7 @@ print_ccache(const char *cc)
675      ret = EOK;
676  done:
677      krb5_cc_close(kcontext, cache);
678 -    krb5_free_unparsed_name(kcontext, defname);
679 +    sss_krb5_free_unparsed_name(kcontext, defname);
680      krb5_free_principal(kcontext, princ);
681      krb5_free_context(kcontext);
682      return ret;
683 diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
684 index f8a7e6f..a954d10 100644
685 --- a/src/util/sss_krb5.c
686 +++ b/src/util/sss_krb5.c
687 @@ -484,7 +484,9 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
688  
689  void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
690  {
691 -#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
692 +#ifdef HAVE_KRB5_XFREE
693 +    krb5_xfree(name);
694 +#elif HAVE_KRB5_FREE_UNPARSED_NAME
695      krb5_free_unparsed_name(context, name);
696  #else
697      if (name != NULL) {
698 @@ -494,6 +496,15 @@ void KRB5_CALLCONV sss_krb5_free_unparse
699  #endif
700  }
701  
702 +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val)
703 +{
704 +/* TODO: ensure at least on is available in krb5.m4 */
705 +#ifdef HAVE_KRB5_FREE_STRING
706 +    krb5_free_string(ctx, val);
707 +#elif HAVE_KRB5_XFREE
708 +    (void) krb5_xfree(val);
709 +#endif
710 +}
711  
712  krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
713                                                     krb5_context context,
714 @@ -752,15 +763,16 @@ cleanup:
715  #endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
716  }
717  
718 -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
719 +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
720 +                                                  krb5_get_init_creds_opt *opts,
721                                                    int canonicalize)
722  {
723 -    /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
724 -     * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
725 -     * arguments. We should use a better configure check in the future.
726 -     */
727 -#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
728 +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
729 +    KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 2
730      krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
731 +#elif defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && \
732 +    KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3
733 +    (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
734  #else
735      DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n");
736  #endif
737 @@ -1022,7 +1034,7 @@ done:
738              KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
739          }
740      }
741 -    krb5_free_string(ctx, tmp_ccname);
742 +    sss_krb5_free_string(ctx, tmp_ccname);
743  
744      return ret_ccname;
745  #else
746 @@ -1069,3 +1081,44 @@ krb5_error_code sss_krb5_kt_have_content
747      return 0;
748  #endif
749  }
750 +
751 +krb5_error_code KRB5_CALLCONV
752 +sss_krb5_unparse_name_ext(krb5_context ctx,
753 +                          krb5_const_principal principal,
754 +                          char **name,
755 +                          unsigned int *len)
756 +{
757 +    krb5_error_code kerr;
758 +
759 +#ifdef HAVE_KRB5_UNPARSE_NAME_EXT
760 +    kerr = krb5_unparse_name_ext(ctx, principal, name, len);
761 +#else
762 +    kerr = krb5_unparse_name(ctx, principal, name);
763 +    if (kerr == 0 && *name)
764 +        *len = strlen(*name);
765 +#endif /* HAVE_KRB5_UNPARSE_NAME_EXT */
766 +
767 +    return kerr;
768 +}
769 +
770 +krb5_error_code KRB5_CALLCONV
771 +sss_krb5_get_time_offsets(krb5_context ctx,
772 +                          krb5_timestamp *seconds,
773 +                          int32_t *microseconds)
774 +{
775 +#if defined(HAVE_KRB5_GET_TIME_OFFSETS)
776 +    return krb5_get_time_offsets(ctx, seconds, microseconds);
777 +#elif defined(HAVE_KRB5_GET_KDC_SEC_OFFSET)
778 +    int32_t _seconds;
779 +    krb5_error_code ret;
780 +
781 +    ret = krb5_get_kdc_sec_offset(ctx, &_seconds, microseconds);
782 +    *seconds = _seconds;
783 +    return ret;
784 +#else
785 +    (void) ctx;
786 +    *seconds = 0;
787 +    *microseconds = 0;
788 +    return 0;
789 +#endif
790 +}
791 diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
792 index db47e0a..c7b9a69 100644
793 --- a/src/util/sss_krb5.h
794 +++ b/src/util/sss_krb5.h
795 @@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
796  
797  void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
798  
799 +void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val);
800 +
801  krb5_error_code find_principal_in_keytab(krb5_context ctx,
802                                           krb5_keytab keytab,
803                                           const char *pattern_primary,
804 @@ -133,7 +135,8 @@ krb5_error_code
805  sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
806                              int flags, char **name);
807  
808 -void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
809 +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_context ctx,
810 +                                                  krb5_get_init_creds_opt *opts,
811                                                    int canonicalize);
812  
813  enum sss_krb5_cc_type {
814 @@ -164,6 +167,10 @@ typedef krb5_times sss_krb5_ticket_times
815  /* Redirect libkrb5 tracing towards our DEBUG statements */
816  errno_t sss_child_set_krb5_tracing(krb5_context ctx);
817  
818 +#ifndef HAVE_KRB5_AUTHDATATYPE
819 +typedef int32_t krb5_authdatatype;
820 +#endif
821 +
822  krb5_error_code sss_krb5_find_authdata(krb5_context context,
823                                         krb5_authdata *const *ticket_authdata,
824                                         krb5_authdata *const *ap_req_authdata,
825 @@ -189,4 +196,14 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx
826  
827  krb5_error_code sss_krb5_kt_have_content(krb5_context context,
828                                           krb5_keytab keytab);
829 +
830 +krb5_error_code KRB5_CALLCONV
831 +sss_krb5_unparse_name_ext(krb5_context ctx,
832 +                          krb5_const_principal principal,
833 +                          char **name,
834 +                          unsigned int *len);
835 +krb5_error_code KRB5_CALLCONV
836 +sss_krb5_get_time_offsets(krb5_context ctx,
837 +                          krb5_timestamp *seconds,
838 +                          int32_t *microseconds);
839  #endif /* __SSS_KRB5_H__ */
840 --- sssd-1.12.3/src/providers/krb5/krb5_keytab.c.orig   2015-01-08 18:19:45.000000000 +0100
841 +++ sssd-1.12.3/src/providers/krb5/krb5_keytab.c        2015-01-12 18:14:26.452110024 +0100
842 @@ -25,6 +25,10 @@
843  #include "util/util.h"
844  #include "util/sss_krb5.h"
845  
846 +#ifndef MAX_KEYTAB_NAME_LEN
847 +#define MAX_KEYTAB_NAME_LEN 1100
848 +#endif
849 +
850  krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
851                                          char *inp_keytab_file,
852                                          char **_mem_name,
853 #--- sssd-1.11.4/src/external/pac_responder.m4.orig     2014-02-17 19:55:32.000000000 +0100
854 #+++ sssd-1.11.4/src/external/pac_responder.m4  2014-03-22 17:59:50.707675270 +0100
855 #@@ -21,7 +21,8 @@
856 #         Kerberos\ 5\ release\ 1.9* | \
857 #         Kerberos\ 5\ release\ 1.10* | \
858 #         Kerberos\ 5\ release\ 1.11* | \
859 #-        Kerberos\ 5\ release\ 1.12*)
860 #+        Kerberos\ 5\ release\ 1.12* | \
861 #+        heimdal\ *)
862 #             krb5_version_ok=yes
863 #             AC_MSG_RESULT([yes])
864 #             ;;
This page took 0.093282 seconds and 2 git commands to generate.