[ #ifdef HAVE_KRB5_KRB5_H
#include <krb5/krb5.h>
#else
-@@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [],
+@@ -46,6 +46,7 @@ AC_CHECK_TYPES([krb5_ticket_times, krb5_
#endif
])
AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
krb5_free_unparsed_name \
krb5_get_init_creds_opt_set_expire_callback \
krb5_get_init_creds_opt_set_fast_ccache_name \
-@@ -59,12 +60,33 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \
- krb5_kt_free_entry \
- krb5_princ_realm \
- krb5_get_time_offsets \
-+ krb5_get_kdc_sec_offset \
- krb5_principal_get_realm \
- krb5_cc_cache_match \
- krb5_timestamp_to_sfstring \
+@@ -65,7 +66,28 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_
krb5_set_trace_callback \
krb5_find_authdata \
-- krb5_cc_get_full_name])
-+ krb5_cc_get_full_name \
+ krb5_kt_have_content \
++ krb5_get_kdc_sec_offset \
+ krb5_free_string \
-+ krb5_xfree])
++ krb5_xfree \
+ krb5_cc_get_full_name])
+
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifdef HAVE_KRB5_KRB5_H
+ #include <krb5/krb5.h>
+
CFLAGS=$SAVE_CFLAGS
LIBS=$SAVE_LIBS
-
+ CFLAGS="$CFLAGS $KRB5_CFLAGS"
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
index 725687d..586c7dd 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
/* Set flag that controls whether we want to write the
* kdcinfo files at all
---- sssd-1.12.0/src/providers/krb5/krb5_child.c.orig 2014-07-09 19:44:02.000000000 +0200
-+++ sssd-1.12.0/src/providers/krb5/krb5_child.c 2014-07-15 22:14:25.585419861 +0200
-@@ -117,7 +117,7 @@ static krb5_error_code set_lifetime_opti
+--- sssd-1.12.3/src/providers/krb5/krb5_child.c.orig 2015-01-08 18:19:45.000000000 +0100
++++ sssd-1.12.3/src/providers/krb5/krb5_child.c 2015-01-12 16:19:43.242398934 +0100
+@@ -133,7 +133,7 @@ static krb5_error_code set_lifetime_opti
return 0;
}
{
int canonicalize = 0;
char *tmp_str;
-@@ -128,23 +128,23 @@ static void set_canonicalize_option(krb5
+@@ -144,23 +144,23 @@ static void set_canonicalize_option(krb5
}
DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set");
/* Currently we do not set forwardable and proxiable explicitly, the flags
* must be removed so that libkrb5 can take the defaults from krb5.conf */
-@@ -158,6 +158,7 @@ static void revert_changepw_options(krb5
+@@ -174,6 +174,7 @@ static void revert_changepw_options(krb5
}
static errno_t sss_send_pac(krb5_authdata **pac_authdata)
{
struct sss_cli_req_data sss_data;
-@@ -177,6 +178,7 @@ static errno_t sss_send_pac(krb5_authdat
+@@ -193,6 +194,7 @@ static errno_t sss_send_pac(krb5_authdat
return EOK;
}
static void sss_krb5_expire_callback_func(krb5_context context, void *data,
krb5_timestamp password_expiration,
-@@ -468,7 +470,8 @@ static krb5_error_code create_empty_cred
+@@ -484,7 +486,8 @@ static krb5_error_code create_empty_cred
{
krb5_error_code kerr;
krb5_creds *cred = NULL;
cred = calloc(sizeof(krb5_creds), 1);
if (cred == NULL) {
-@@ -482,12 +485,12 @@ static krb5_error_code create_empty_cred
+@@ -498,12 +501,12 @@ static krb5_error_code create_empty_cred
goto done;
}
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n");
goto done;
-@@ -746,7 +749,8 @@ static errno_t add_ticket_times_and_upn_
+@@ -762,7 +765,8 @@ static errno_t add_ticket_times_and_upn_
goto done;
}
if (kerr != 0) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n");
goto done;
-@@ -754,7 +758,7 @@ static errno_t add_ticket_times_and_upn_
+@@ -770,7 +774,7 @@ static errno_t add_ticket_times_and_upn_
ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
(uint8_t *) upn);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
goto done;
-@@ -776,7 +780,9 @@ static krb5_error_code validate_tgt(stru
+@@ -792,7 +796,9 @@ static krb5_error_code validate_tgt(stru
krb5_principal validation_princ = NULL;
bool realm_entry_found = false;
krb5_ccache validation_ccache = NULL;
memset(&keytab, 0, sizeof(keytab));
kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
-@@ -870,6 +876,7 @@ static krb5_error_code validate_tgt(stru
+@@ -886,6 +892,7 @@ static krb5_error_code validate_tgt(stru
goto done;
}
/* Try to find and send the PAC to the PAC responder.
* Failures are not critical. */
if (kr->send_pac) {
-@@ -892,6 +899,7 @@ static krb5_error_code validate_tgt(stru
+@@ -908,6 +915,7 @@ static krb5_error_code validate_tgt(stru
kerr = 0;
}
}
done:
if (validation_ccache != NULL) {
-@@ -927,7 +935,7 @@ static krb5_error_code get_and_save_tgt_
+@@ -943,7 +951,7 @@ static krb5_error_code get_and_save_tgt_
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
&options);
-@@ -1110,7 +1118,7 @@ static errno_t changepw_child(struct krb
+@@ -1149,7 +1157,7 @@ static errno_t changepw_child(struct krb
prompter = sss_krb5_prompter;
}
- set_changepw_options(kr->options);
+ set_changepw_options(kr->ctx, kr->options);
sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
-
- DEBUG(SSSDBG_TRACE_FUNC,
-@@ -1158,9 +1166,9 @@ static errno_t changepw_child(struct krb
+ if (realm_length == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
+@@ -1201,9 +1209,9 @@ static errno_t changepw_child(struct krb
memset(&result_code_string, 0, sizeof(krb5_data));
memset(&result_string, 0, sizeof(krb5_data));
if (kerr == KRB5_KDC_UNREACH) {
return ERR_NETWORK_IO;
-@@ -1174,7 +1182,7 @@ static errno_t changepw_child(struct krb
+@@ -1217,7 +1225,7 @@ static errno_t changepw_child(struct krb
if (result_code_string.length > 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"krb5_change_password failed [%d][%.*s].\n", result_code,
user_error_message = talloc_strndup(kr->pd, result_code_string.data,
result_code_string.length);
if (user_error_message == NULL) {
-@@ -1182,10 +1190,10 @@ static errno_t changepw_child(struct krb
+@@ -1225,10 +1233,10 @@ static errno_t changepw_child(struct krb
}
}
talloc_free(user_error_message);
user_error_message = talloc_strndup(kr->pd, result_string.data,
result_string.length);
-@@ -1228,7 +1236,7 @@ static errno_t changepw_child(struct krb
+@@ -1279,7 +1287,7 @@ static errno_t changepw_child(struct krb
/* We changed some of the gic options for the password change, now we have
* to change them back to get a fresh TGT. */
kerr = get_and_save_tgt(kr, newpassword);
-@@ -1288,7 +1296,7 @@ static errno_t tgt_req_child(struct krb5
+@@ -1339,7 +1347,7 @@ static errno_t tgt_req_child(struct krb5
"Failed to unset expire callback, continue ...\n");
}
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
discard_const(password),
sss_krb5_prompter, kr, 0,
-@@ -1766,7 +1774,8 @@ static errno_t k5c_recv_data(struct krb5
+@@ -1919,7 +1927,8 @@ static errno_t k5c_recv_data(struct krb5
static int k5c_setup_fast(struct krb5_req *kr, bool demand)
{
krb5_principal fast_princ_struct;
char *fast_principal_realm;
char *fast_principal;
krb5_error_code kerr;
-@@ -1794,8 +1803,11 @@ static int k5c_setup_fast(struct krb5_re
+@@ -1948,8 +1957,11 @@ static int k5c_setup_fast(struct krb5_re
return KRB5KRB_ERR_GENERIC;
}
free(tmp_str);
if (!fast_principal_realm) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
return ENOMEM;
-@@ -1929,7 +1941,7 @@ static int k5c_setup(struct krb5_req *kr
+@@ -2235,7 +2247,7 @@ static int k5c_setup(struct krb5_req *kr
}
if (!offline) {
- set_canonicalize_option(kr->options);
+ set_canonicalize_option(kr->ctx, kr->options);
+ }
- use_fast_str = getenv(SSSD_KRB5_USE_FAST);
- if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) {
+ /* TODO: set options, e.g.
--- sssd-1.11.6/src/providers/krb5/krb5_common.c.orig 2014-06-03 16:31:33.000000000 +0200
+++ sssd-1.11.6/src/providers/krb5/krb5_common.c 2014-06-18 22:23:18.480672769 +0200
@@ -33,7 +33,7 @@
dp_opt_get_bool(krb5_options->opts,
KRB5_USE_KDCINFO),
&ctx->kpasswd_service);
---- sssd-1.11.6/src/providers/ldap/ldap_child.c.orig 2014-06-03 16:31:33.000000000 +0200
-+++ sssd-1.11.6/src/providers/ldap/ldap_child.c 2014-06-19 07:25:44.383327744 +0200
-@@ -97,7 +97,7 @@ static errno_t unpack_buffer(uint8_t *bu
+--- sssd-1.12.3/src/providers/ldap/ldap_child.c.orig 2015-01-08 18:19:45.000000000 +0100
++++ sssd-1.12.3/src/providers/ldap/ldap_child.c 2015-01-12 16:27:54.035711695 +0100
+@@ -99,7 +99,7 @@ static errno_t unpack_buffer(uint8_t *bu
/* ticket lifetime */
- SAFEALIGN_COPY_INT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
-- DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %d\n", ibuf->lifetime);
-+ DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %d\n", (int)ibuf->lifetime);
+ SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p);
+- DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime);
++ DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %ld\n", (long)(ibuf->lifetime));
- return EOK;
- }
-@@ -310,7 +310,8 @@ static krb5_error_code ldap_child_get_tg
+ /* UID and GID to run as */
+ SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p);
+@@ -386,7 +386,8 @@ static krb5_error_code ldap_child_get_tg
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
canonicalize = 1;
}
+ sss_krb5_get_init_creds_opt_set_canonicalize(context,
+ &options, canonicalize);
- krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
- keytab, 0, NULL, &options);
-@@ -343,8 +344,7 @@ static krb5_error_code ldap_child_get_tg
+ ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
+ DB_PATH, realm_name);
+@@ -462,8 +463,7 @@ static krb5_error_code ldap_child_get_tg
}
DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n");
&kdc_time_offset_usec);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n",
-@@ -356,10 +356,6 @@ static krb5_error_code ldap_child_get_tg
+@@ -475,10 +475,6 @@ static krb5_error_code ldap_child_get_tg
}
}
DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n");
- kdc_time_offset = 0;
-#endif
- krberr = 0;
- *ccname_out = ccname;
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file);
--- sssd-1.11.6/src/providers/ldap/ldap_common.c.orig 2014-06-03 16:31:33.000000000 +0200
+++ sssd-1.11.6/src/providers/ldap/ldap_common.c 2014-06-19 07:33:38.193317867 +0200
@@ -1303,7 +1303,7 @@ done:
index f8a7e6f..a954d10 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
-@@ -535,7 +535,9 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
+@@ -484,7 +484,9 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
{
krb5_free_unparsed_name(context, name);
#else
if (name != NULL) {
-@@ -545,6 +547,15 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
+@@ -494,6 +496,15 @@ void KRB5_CALLCONV sss_krb5_free_unparse
#endif
}
krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
krb5_context context,
-@@ -800,15 +811,16 @@ cleanup:
+@@ -752,15 +763,16 @@ cleanup:
#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
}
+ KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE_ARGS == 3
+ (void) krb5_get_init_creds_opt_set_canonicalize(ctx, opts, canonicalize);
#else
- DEBUG(SSSDBG_OP_FAILURE, ("Kerberos principal canonicalization is not available!\n"));
+ DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n");
#endif
-@@ -1063,10 +1075,51 @@ done:
+@@ -1022,7 +1034,7 @@ done:
KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
}
}
return ret_ccname;
#else
- return NULL;
- #endif /* HAVE_KRB5_CC_COLLECTION */
+@@ -1069,3 +1081,44 @@ krb5_error_code sss_krb5_kt_have_content
+ return 0;
+ #endif
}
+
+krb5_error_code KRB5_CALLCONV
+ return 0;
+#endif
+}
-diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
-index db47e0a..c7b9a69 100644
---- a/src/util/sss_krb5.h
-+++ b/src/util/sss_krb5.h
-@@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
+--- sssd-1.13.4/src/util/sss_krb5.h~ 2016-05-01 12:23:18.000000000 +0300
++++ sssd-1.13.4/src/util/sss_krb5.h 2016-05-01 12:24:04.615247459 +0300
+@@ -70,6 +70,8 @@ void KRB5_CALLCONV sss_krb5_get_init_cre
void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
+void KRB5_CALLCONV sss_krb5_free_string(krb5_context ctx, char *val);
+
- int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
- krb5_context context, krb5_keytab keytab);
-
-@@ -136,7 +138,8 @@ krb5_error_code
+ krb5_error_code find_principal_in_keytab(krb5_context ctx,
+ krb5_keytab keytab,
+ const char *pattern_primary,
+@@ -133,7 +135,8 @@ krb5_error_code
sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
int flags, char **name);
int canonicalize);
enum sss_krb5_cc_type {
-@@ -167,6 +170,10 @@ typedef krb5_times sss_krb5_ticket_times;
+@@ -164,6 +167,10 @@ typedef krb5_times sss_krb5_ticket_times
/* Redirect libkrb5 tracing towards our DEBUG statements */
errno_t sss_child_set_krb5_tracing(krb5_context ctx);
krb5_error_code sss_krb5_find_authdata(krb5_context context,
krb5_authdata *const *ticket_authdata,
krb5_authdata *const *ap_req_authdata,
-@@ -184,4 +191,14 @@ char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx,
- krb5_context ctx,
- krb5_principal principal,
- const char *location);
+@@ -193,4 +193,14 @@
+ krb5_keytab keytab);
+
+ bool sss_krb5_realm_has_proxy(const char *realm);
+
+krb5_error_code KRB5_CALLCONV
+sss_krb5_unparse_name_ext(krb5_context ctx,
+ krb5_timestamp *seconds,
+ int32_t *microseconds);
#endif /* __SSS_KRB5_H__ */
+--- sssd-1.12.3/src/providers/krb5/krb5_keytab.c.orig 2015-01-08 18:19:45.000000000 +0100
++++ sssd-1.12.3/src/providers/krb5/krb5_keytab.c 2015-01-12 18:14:26.452110024 +0100
+@@ -25,6 +25,10 @@
+ #include "util/util.h"
+ #include "util/sss_krb5.h"
+
++#ifndef MAX_KEYTAB_NAME_LEN
++#define MAX_KEYTAB_NAME_LEN 1100
++#endif
++
+ krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
+ char *inp_keytab_file,
+ char **_mem_name,
#--- sssd-1.11.4/src/external/pac_responder.m4.orig 2014-02-17 19:55:32.000000000 +0100
#+++ sssd-1.11.4/src/external/pac_responder.m4 2014-03-22 17:59:50.707675270 +0100
#@@ -21,7 +21,8 @@